@sanctuary-framework/mcp-server 0.7.0 → 0.8.0

package/dist/index.d.cts

@@ -127,157 +127,6 @@ interface StorageBackend {
     totalSize(): Promise<number>;
 }
 
-/**
- * Sanctuary MCP Server — AES-256-GCM Encryption
- *
- * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).
- * This provides both confidentiality and integrity — a modified ciphertext will
- * fail authentication, detecting tampering.
- *
- * Security invariants:
- * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)
- * - The 16-byte authentication tag is always verified on decryption
- * - Keys are 256 bits (32 bytes)
- */
-/** Encrypted payload structure stored on disk */
-interface EncryptedPayload {
-    /** Format version */
-    v: number;
-    /** Algorithm identifier */
-    alg: "aes-256-gcm";
-    /** Initialization vector (base64url) */
-    iv: string;
-    /** Ciphertext (base64url) */
-    ct: string;
-    /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */
-    /** Timestamp */
-    ts: string;
-}
-
-/**
- * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore
- *
- * The encrypted state store is the foundation of Sanctuary.
- * Every read and write goes through here. All data is encrypted
- * with namespace-specific keys. All writes are signed by an identity.
- * All reads verify integrity via Merkle proofs.
- *
- * Security invariants:
- * - Plaintext never touches the filesystem
- * - Every write gets a unique IV
- * - Every write is signed (non-repudiation)
- * - Monotonic version numbers prevent rollback
- * - Merkle tree verifies namespace integrity
- * - Secure deletion overwrites before unlinking
- */
-
-/** Result of a state write operation */
-interface WriteResult {
-    key: string;
-    namespace: string;
-    version: number;
-    merkle_root: string;
-    written_at: string;
-    size_bytes: number;
-    integrity_hash: string;
-}
-/** Result of a state read operation */
-interface ReadResult {
-    key: string;
-    namespace: string;
-    value: string;
-    version: number;
-    integrity_verified: boolean;
-    merkle_proof: string[];
-    written_at: string;
-    written_by: string;
-}
-/** Options for state write */
-interface WriteOptions {
-    content_type?: string;
-    ttl_seconds?: number;
-    tags?: string[];
-}
-declare class StateStore {
-    private storage;
-    private masterKey;
-    private versionCache;
-    private contentHashes;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    private versionKey;
-    /**
-     * Get or initialize the content hash map for a namespace.
-     */
-    private getNamespaceHashes;
-    /**
-     * Write encrypted state.
-     *
-     * @param namespace - Logical grouping
-     * @param key - State key
-     * @param value - Plaintext value (will be encrypted)
-     * @param identityId - Identity performing the write
-     * @param encryptedPrivateKey - Identity's encrypted private key (for signing)
-     * @param identityEncryptionKey - Key to decrypt the identity's private key
-     * @param options - Optional metadata
-     */
-    write(namespace: string, key: string, value: string, identityId: string, encryptedPrivateKey: EncryptedPayload, identityEncryptionKey: Uint8Array, options?: WriteOptions): Promise<WriteResult>;
-    /**
-     * Read and decrypt state.
-     *
-     * @param namespace - Logical grouping
-     * @param key - State key
-     * @param signerPublicKey - Expected signer's public key (for signature verification)
-     * @param verifyIntegrity - Whether to verify Merkle proof (default: true)
-     */
-    read(namespace: string, key: string, signerPublicKey?: Uint8Array, verifyIntegrity?: boolean): Promise<ReadResult | null>;
-    /**
-     * List keys in a namespace (metadata only — no decryption).
-     */
-    list(namespace: string, prefix?: string, tags?: string[], limit?: number, offset?: number): Promise<{
-        keys: Array<{
-            key: string;
-            version: number;
-            size_bytes: number;
-            written_at: string;
-            tags: string[];
-        }>;
-        total: number;
-        merkle_root: string;
-    }>;
-    /**
-     * Securely delete state (overwrite with random bytes before removal).
-     */
-    delete(namespace: string, key: string): Promise<{
-        deleted: boolean;
-        key: string;
-        namespace: string;
-        new_merkle_root: string;
-        deleted_at: string;
-    }>;
-    /**
-     * Export all state for a namespace as an encrypted bundle.
-     */
-    export(namespace?: string): Promise<{
-        bundle: string;
-        namespaces: string[];
-        total_keys: number;
-        bundle_hash: string;
-        exported_at: string;
-    }>;
-    /**
-     * Import a previously exported state bundle.
-     */
-    import(bundleBase64: string, conflictResolution: "skip" | "overwrite" | "version" | undefined, publicKeyResolver: (kid: string) => Uint8Array | null): Promise<{
-        imported_keys: number;
-        skipped_keys: number;
-        skipped_invalid_sig: number;
-        skipped_unknown_kid: number;
-        conflicts: number;
-        namespaces: string[];
-        imported_at: string;
-    }>;
-}
-
 /**
  * Sanctuary MCP Server — L2 Operational Isolation: Audit Log
  *
@@ -328,942 +177,995 @@ declare class AuditLog {
 }
 
 /**
- * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes
- *
- * Cryptographic commitments allow an agent to commit to a value
- * without revealing it, then later prove what was committed.
- *
- * This is the MVS approach to selective disclosure — simpler than
- * full ZK proofs but still cryptographically sound. The commitment
- * is SHA-256(value || blinding_factor), which is:
- * - Hiding: the commitment reveals nothing about the value
- * - Binding: the committer cannot change the value after committing
+ * Sanctuary MCP Server — Principal Policy Types
  *
- * Security invariants:
- * - Blinding factors are cryptographically random (32 bytes)
- * - Commitments are stored encrypted under L1 sovereignty
- * - Revealed values are verified via constant-time comparison
+ * Type definitions for the Principal Policy system.
+ * The Principal Policy is the human-controlled, agent-immutable
+ * configuration that gates operations through approval tiers.
  */
-
-/** A cryptographic commitment */
-interface Commitment {
-    /** The commitment hash: SHA-256(value || blinding_factor) as base64url */
-    commitment: string;
-    /** The blinding factor (must be stored securely for later reveal) */
-    blinding_factor: string;
-    /** When the commitment was created */
-    committed_at: string;
-}
-/** Stored commitment metadata (encrypted at rest) */
-interface StoredCommitment {
-    commitment: string;
-    blinding_factor: string;
-    value: string;
-    committed_at: string;
-    revealed: boolean;
-    revealed_at?: string;
+/** Tier 2 anomaly action: what to do when an anomaly is detected */
+type AnomalyAction = "approve" | "log" | "allow";
+/** Tier 2 anomaly detection configuration */
+interface Tier2Config {
+    /** Action when agent accesses a namespace it hasn't used before */
+    new_namespace_access: AnomalyAction;
+    /** Action when agent interacts with an unknown counterparty DID */
+    new_counterparty: AnomalyAction;
+    /** Tool call frequency multiplier that triggers anomaly */
+    frequency_spike_multiplier: number;
+    /** Maximum signing operations per minute before triggering */
+    max_signs_per_minute: number;
+    /** Reading more than N keys in a namespace within 60 seconds */
+    bulk_read_threshold: number;
+    /** Policy for first session when no baseline exists */
+    first_session_policy: AnomalyAction;
 }
-/**
- * Commitment store — manages commitments encrypted under L1 sovereignty.
- */
-declare class CommitmentStore {
-    private storage;
-    private encryptionKey;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    /**
-     * Store a commitment (encrypted) for later reference.
-     */
-    store(commitment: Commitment, value: string): Promise<string>;
-    /**
-     * Retrieve a stored commitment by ID.
-     */
-    get(id: string): Promise<StoredCommitment | null>;
+/** Approval channel configuration */
+interface ApprovalChannelConfig {
+    type: "stderr" | "webhook" | "callback";
+    timeout_seconds: number;
     /**
-     * Mark a commitment as revealed.
+     * SEC-002: auto_deny is hardcoded to true and not configurable.
+     * Timeout on any approval channel ALWAYS results in denial.
+     * This field is retained for backward compatibility with existing
+     * policy files but is ignored — timeout always denies.
      */
-    markRevealed(id: string): Promise<void>;
+    auto_deny?: boolean;
+    webhook_url?: string;
+    webhook_secret?: string;
 }
-
-/**
- * Sanctuary MCP Server — L3 Selective Disclosure: Zero-Knowledge Proofs
- *
- * Upgrades the commitment-only L3 to support real zero-knowledge proofs.
- * Uses Ristretto255 (prime-order curve group, no cofactor issues) for:
- *
- *   1. Pedersen commitments: C = v*G + b*H (computationally hiding, perfectly binding)
- *   2. ZK proof of knowledge: Schnorr sigma protocol via Fiat-Shamir
- *   3. ZK range proofs: Prove value ∈ [min, max] without revealing it
- *
- * Ristretto255 is available via @noble/curves/ed25519, which we already depend on.
- * This is genuine zero-knowledge — proofs reveal nothing beyond the stated property.
- *
- * Architecture note:
- * The existing commitment scheme (SHA-256 based) remains available for backward
- * compatibility. The ZK proofs operate on a separate Pedersen commitment system
- * that provides algebraic structure for proper ZK properties.
- *
- * Security invariants:
- * - Generator H is derived via hash-to-curve (nothing-up-my-sleeve)
- * - Blinding factors are cryptographically random (32 bytes)
- * - Fiat-Shamir challenges use domain-separated hashing
- * - Range proofs use a bit-decomposition approach (sound but logarithmic size)
- */
-/** A Pedersen commitment: C = v*G + b*H */
-interface PedersenCommitment {
-    /** The commitment point (encoded as base64url) */
-    commitment: string;
-    /** The blinding factor b (base64url, 32 bytes) — keep secret */
-    blinding_factor: string;
-    /** When the commitment was created */
-    committed_at: string;
+/** Complete Principal Policy */
+interface PrincipalPolicy {
+    version: number;
+    /** Operations that always require human approval */
+    tier1_always_approve: string[];
+    /** Behavioral anomaly detection configuration */
+    tier2_anomaly: Tier2Config;
+    /** Operations that never require approval (audit only) */
+    tier3_always_allow: string[];
+    /** How approval requests reach the human */
+    approval_channel: ApprovalChannelConfig;
 }
-/** A non-interactive ZK proof of knowledge of a commitment's opening */
-interface ZKProofOfKnowledge {
-    /** Proof type identifier */
-    type: "schnorr-pedersen-ristretto255";
-    /** The commitment this proof is for */
-    commitment: string;
-    /** Announcement point R (base64url) */
-    announcement: string;
-    /** Response scalar s_v (base64url) */
-    response_v: string;
-    /** Response scalar s_b (base64url) */
-    response_b: string;
-    /** Proof generated at */
-    generated_at: string;
+/** Approval request sent to the human */
+interface ApprovalRequest {
+    operation: string;
+    tier: 1 | 2;
+    reason: string;
+    context: Record<string, unknown>;
+    timestamp: string;
 }
-/** A ZK range proof: proves value ∈ [min, max] */
-interface ZKRangeProof {
-    /** Proof type identifier */
-    type: "range-pedersen-ristretto255";
-    /** The commitment this proof is for */
-    commitment: string;
-    /** Minimum value (inclusive) */
-    min: number;
-    /** Maximum value (inclusive) */
-    max: number;
-    /** Bit commitments for the shifted value (v - min) */
-    bit_commitments: string[];
-    /** Proofs that each bit commitment is 0 or 1 */
-    bit_proofs: Array<{
-        announcement_0: string;
-        announcement_1: string;
-        challenge_0: string;
-        challenge_1: string;
-        response_0: string;
-        response_1: string;
-    }>;
-    /** Sum proof: bit commitments sum to the value commitment */
-    sum_proof: {
-        announcement: string;
-        response: string;
-    };
-    /** Proof generated at */
-    generated_at: string;
+/** Approval response from the human */
+interface ApprovalResponse {
+    decision: "approve" | "deny";
+    decided_at: string;
+    decided_by: "human" | "timeout" | "auto" | "stderr:non-interactive";
+}
+/** Result of the approval gate evaluation */
+interface GateResult {
+    allowed: boolean;
+    tier: 1 | 2 | 3;
+    reason: string;
+    approval_required: boolean;
+    approval_response?: ApprovalResponse;
+}
+/** Behavioral baseline for anomaly detection */
+interface SessionProfile {
+    /** Namespaces accessed (read or write) */
+    known_namespaces: string[];
+    /** Counterparty DIDs seen in reputation operations */
+    known_counterparties: string[];
+    /** Tool call counts per tool name (lifetime in session) */
+    tool_call_counts: Record<string, number>;
+    /** Whether this is the first session (no prior baseline) */
+    is_first_session: boolean;
+    /** Session start time */
+    started_at: string;
+    /** When the baseline was last saved */
+    saved_at?: string;
 }
+
 /**
- * Create a Pedersen commitment to a numeric value.
- *
- * C = v*G + b*H
- *
- * Properties:
- * - Computationally hiding (under discrete log assumption)
- * - Perfectly binding (information-theoretic)
- * - Homomorphic: C(v1) + C(v2) = C(v1+v2) with adjusted blinding
+ * Sanctuary MCP Server — Approval Channel
  *
- * @param value - The value to commit to (integer)
- * @returns The commitment and blinding factor
- */
-declare function createPedersenCommitment(value: number): PedersenCommitment;
-/**
- * Verify a Pedersen commitment against a revealed value and blinding factor.
+ * Out-of-band communication with the human principal for operation approval.
+ * The default channel uses stderr (outside MCP's stdin/stdout protocol),
+ * ensuring the agent cannot intercept or forge approval responses.
  *
- * Recomputes C' = v*G + b*H and checks C' == C.
+ * Security invariant:
+ * - Approval prompts go through a channel the agent cannot access.
+ * - Timeouts result in denial by default (fail closed).
  */
-declare function verifyPedersenCommitment(commitment: string, value: number, blindingFactor: string): boolean;
+
+/** Abstract approval channel interface */
+interface ApprovalChannel {
+    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+}
 /**
- * Create a non-interactive ZK proof that you know the opening (v, b)
- * of a Pedersen commitment C = v*G + b*H.
- *
- * Schnorr sigma protocol with Fiat-Shamir transform:
- *   1. Pick random r_v, r_b
- *   2. Compute R = r_v*G + r_b*H (announcement)
- *   3. Compute e = H_FS(C || R) (challenge via Fiat-Shamir)
- *   4. Compute s_v = r_v + e*v, s_b = r_b + e*b (responses)
- *   5. Proof = (R, s_v, s_b)
+ * Stderr approval channel — non-interactive informational channel.
  *
- * Zero-knowledge: the transcript (R, e, s_v, s_b) can be simulated
- * without knowing (v, b), so it reveals nothing.
+ * In the MCP stdio model:
+ * - stdin/stdout carry the MCP protocol (JSON-RPC)
+ * - stderr is available for out-of-band human communication
  *
- * @param value - The committed value
- * @param blindingFactor - The blinding factor (base64url)
- * @param commitment - The commitment (base64url)
- */
-declare function createProofOfKnowledge(value: number, blindingFactor: string, commitment: string): ZKProofOfKnowledge;
-/**
- * Verify a ZK proof of knowledge of a commitment's opening.
+ * Because stdin is consumed by the MCP JSON-RPC transport, this channel
+ * CANNOT read interactive human input. It is strictly informational:
+ * the prompt is displayed so the human sees what is happening, and the
+ * operation is denied immediately.
  *
- * Check: s_v*G + s_b*H == R + e*C
+ * SEC-002 + SEC-016 invariants:
+ * - This channel ALWAYS denies. No configuration can change this.
+ * - There is no timeout or async delay — denial is synchronous.
+ * - The `auto_deny` config field is ignored (SEC-002).
+ * - For interactive approval, use the dashboard or webhook channel.
  */
-declare function verifyProofOfKnowledge(proof: ZKProofOfKnowledge): boolean;
+declare class StderrApprovalChannel implements ApprovalChannel {
+    constructor(_config: ApprovalChannelConfig);
+    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+    private formatPrompt;
+}
 /**
- * Create a ZK range proof: prove value ∈ [min, max] without revealing value.
- *
- * Approach: bit-decomposition of (value - min) into n bits where 2^n > max - min.
- * Each bit gets a Pedersen commitment and a proof it's 0 or 1.
- * A sum proof shows the bit commitments reconstruct the original commitment
- * (shifted by min).
- *
- * @param value - The committed value
- * @param blindingFactor - The blinding factor (base64url)
- * @param commitment - The commitment (base64url)
- * @param min - Minimum value (inclusive)
- * @param max - Maximum value (inclusive)
+ * Programmatic approval channel — for testing and API integration.
  */
-declare function createRangeProof(value: number, blindingFactor: string, commitment: string, min: number, max: number): ZKRangeProof | {
-    error: string;
-};
+declare class CallbackApprovalChannel implements ApprovalChannel {
+    private callback;
+    constructor(callback: (request: ApprovalRequest) => Promise<ApprovalResponse>);
+    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+}
 /**
- * Verify a ZK range proof.
+ * Auto-approve channel — for testing. Approves everything.
  */
-declare function verifyRangeProof(proof: ZKRangeProof): boolean;
+declare class AutoApproveChannel implements ApprovalChannel {
+    requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse>;
+}
 
 /**
- * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies
- *
- * Disclosure policies define what an agent will and will not disclose
- * in different interaction contexts. Policies are evaluated against
- * incoming disclosure requests to produce per-field decisions.
+ * Sanctuary MCP Server — Behavioral Baseline Tracker
  *
- * This is the agent's "privacy preferences" layer — it codifies the
- * human principal's intent about what information can flow where.
+ * Tracks the agent's behavioral profile during a session and persists
+ * it for cross-session anomaly detection. The baseline defines "normal"
+ * so that deviations can trigger Tier 2 approval.
  *
  * Security invariants:
- * - Policies are stored encrypted under L1 sovereignty
- * - Default action is always "withhold" unless explicitly overridden
- * - Policy evaluation is deterministic (same request → same decision)
+ * - Baseline is stored encrypted under L1 sovereignty
+ * - Baseline changes are audit-logged
+ * - Baseline is integrity-verified via L1 Merkle tree
+ * - No MCP tool can directly modify the baseline
  */
 
-/** A single disclosure rule within a policy */
-interface DisclosureRule {
-    /** Interaction context this rule applies to */
-    context: string;
-    /** Fields/claims the agent MAY disclose */
-    disclose: string[];
-    /** Fields/claims the agent MUST NOT disclose */
-    withhold: string[];
-    /** Fields that require proof rather than plain disclosure */
-    proof_required: string[];
-}
-/** A complete disclosure policy */
-interface DisclosurePolicy {
-    policy_id: string;
-    policy_name: string;
-    rules: DisclosureRule[];
-    default_action: "withhold" | "ask-principal";
-    identity_id?: string;
-    created_at: string;
-    updated_at: string;
-}
-/**
- * Policy store — manages disclosure policies encrypted under L1 sovereignty.
- */
-declare class PolicyStore {
+declare class BaselineTracker {
     private storage;
     private encryptionKey;
-    private policies;
+    private profile;
+    /** Sliding window: timestamps of tool calls per tool name (last 60s) */
+    private callWindows;
+    /** Sliding window: read counts per namespace (last 60s) */
+    private readWindows;
+    /** Sliding window: sign call timestamps (last 60s) */
+    private signWindow;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Create and store a new disclosure policy.
+     * Load the previous session's baseline from storage.
+     * If none exists, this is a first session.
      */
-    create(policyName: string, rules: DisclosureRule[], defaultAction: "withhold" | "ask-principal", identityId?: string): Promise<DisclosurePolicy>;
+    load(): Promise<void>;
     /**
-     * Get a policy by ID.
+     * Save the current baseline to storage (encrypted).
+     * Called at session end or periodically.
      */
-    get(policyId: string): Promise<DisclosurePolicy | null>;
+    save(): Promise<void>;
     /**
-     * List all policies.
+     * Record a tool call for baseline tracking.
+     * Returns anomaly information if applicable.
      */
-    list(): Promise<DisclosurePolicy[]>;
+    recordToolCall(toolName: string): void;
     /**
-     * Load all persisted policies into memory.
+     * Record a namespace access.
+     * @returns true if this is a new namespace (not in baseline)
      */
-    private loadAll;
-    private persist;
+    recordNamespaceAccess(namespace: string): boolean;
+    /**
+     * Record a namespace read for bulk-read detection.
+     * @returns the number of reads in the current 60-second window
+     */
+    recordNamespaceRead(namespace: string): number;
+    /**
+     * Record a counterparty DID interaction.
+     * @returns true if this is a new counterparty (not in baseline)
+     */
+    recordCounterparty(did: string): boolean;
+    /**
+     * Record a signing operation.
+     * @returns the number of signs in the current 60-second window
+     */
+    recordSign(): number;
+    /**
+     * Get the current call rate for a tool (calls per minute).
+     */
+    getCallRate(toolName: string): number;
+    /**
+     * Get the average call rate across all tools in the baseline.
+     */
+    getAverageCallRate(): number;
+    /** Whether this is the first session */
+    get isFirstSession(): boolean;
+    /** Get a read-only view of the current profile */
+    getProfile(): SessionProfile;
 }
 
 /**
- * Sanctuary MCP Server — Ed25519 Identity Management
+ * Sanctuary MCP Server — Prompt Injection Detection Layer
  *
- * Sovereign identity based on Ed25519 keypairs.
- * Private keys are always encrypted at rest — never stored in plaintext.
+ * Fast, zero-dependency detection of common prompt injection patterns.
+ * Scans tool arguments for role override, security bypass, encoding evasion,
+ * data exfiltration, and prompt stuffing signals.
+ *
+ * SEC-034/SEC-035: Enhanced with Unicode sanitization pre-pass, decoded content
+ * re-scanning, token budget analysis, and outbound content scanning.
  *
  * Security invariants:
- * - Private keys never appear in any MCP tool response
- * - Private keys are encrypted with identity-specific keys derived from the master key
- * - Key rotation produces a signed rotation event (verifiable chain)
+ * - Always returns a result, never throws
+ * - Typical scan completes in < 5ms
+ * - False positives minimized via field-aware scanning
+ * - Recursive scanning of nested objects/arrays
+ * - Outbound scanning catches secret leaks and injection artifact survival
  */
-
-/** Public identity information (safe to share) */
-interface PublicIdentity {
-    identity_id: string;
-    label: string;
-    public_key: string;
-    did: string;
-    created_at: string;
-    key_type: "ed25519";
-    key_protection: "passphrase" | "hardware-key" | "recovery-key";
+interface InjectionDetectorConfig {
+    enabled: boolean;
+    sensitivity: "low" | "medium" | "high";
+    on_detection: "escalate" | "block" | "log";
+    custom_patterns?: string[];
 }
-/** Stored identity (private key is encrypted) */
-interface StoredIdentity extends PublicIdentity {
-    encrypted_private_key: EncryptedPayload;
-    /** Previous public keys (for rotation chain verification) */
-    rotation_history: Array<{
-        old_public_key: string;
-        new_public_key: string;
-        rotation_event: string;
-        rotated_at: string;
-    }>;
+interface InjectionSignal {
+    type: string;
+    pattern: string;
+    location: string;
+    severity: "low" | "medium" | "high";
+}
+interface DetectionResult {
+    flagged: boolean;
+    confidence: number;
+    signals: InjectionSignal[];
+    recommendation: "allow" | "escalate" | "block";
+}
+declare class InjectionDetector {
+    private config;
+    private stats;
+    constructor(config?: Partial<InjectionDetectorConfig>);
+    /**
+     * Scan tool arguments for injection signals.
+     * @param toolName Full tool name (e.g., "state_read")
+     * @param args Tool arguments
+     * @returns DetectionResult with all detected signals
+     */
+    scan(toolName: string, args: Record<string, unknown>): DetectionResult;
+    /**
+     * SEC-035: Scan outbound content for secret leaks, data exfiltration,
+     * internal path exposure, and injection artifact survival.
+     *
+     * @param content The outbound content string to scan
+     * @returns DetectionResult with outbound-specific signal types
+     */
+    scanOutbound(content: string): DetectionResult;
+    /**
+     * Recursively scan a value and all nested values.
+     */
+    private scanValue;
+    /**
+     * Scan a single string for injection signals.
+     */
+    private scanString;
+    /**
+     * Count invisible Unicode characters in a string.
+     * Includes zero-width chars, soft hyphens, directional marks,
+     * variation selectors, and other invisible categories.
+     */
+    private countInvisibleChars;
+    /**
+     * Strip invisible characters from a string for clean pattern matching.
+     * Returns a new string with all invisible chars removed.
+     */
+    private stripInvisibleChars;
+    /**
+     * SEC-034: Token budget attack detection.
+     * Some Unicode sequences expand dramatically during tokenization (e.g., CJK
+     * ideographs, combining characters, emoji sequences). If the estimated token
+     * cost per character is anomalously high, this may be a wallet-drain payload.
+     *
+     * Heuristic: count chars that typically tokenize into multiple tokens.
+     * If the ratio of estimated tokens to char count exceeds 3x, flag it.
+     */
+    private detectTokenBudgetAttack;
+    /**
+     * Detect encoded content (base64, hex, HTML entities, URL encoding),
+     * decode it, and re-scan the decoded content through injection patterns.
+     * If the decoded content contains injection patterns, flag as encoding_evasion.
+     */
+    private detectEncodedPayloads;
+    /**
+     * Check if a string contains any injection patterns (role override or security bypass).
+     */
+    private containsInjectionPatterns;
+    /**
+     * Safely decode a base64 string. Returns null if it's not valid base64
+     * or doesn't decode to a meaningful string.
+     */
+    private safeBase64Decode;
+    /**
+     * Safely decode a hex string. Returns null on failure.
+     */
+    private safeHexDecode;
+    /**
+     * Decode HTML numeric entities (&#xHH; and &#DDD;) in a string.
+     */
+    private decodeHtmlEntities;
+    /**
+     * Safely decode a URL-encoded string. Returns null on failure.
+     */
+    private safeUrlDecode;
+    /**
+     * Heuristic: does this look like readable text (vs. binary garbage)?
+     * Checks that most characters are printable ASCII or common Unicode.
+     */
+    private looksLikeText;
+    /**
+     * Detect API keys and secrets in outbound content.
+     */
+    private detectSecretPatterns;
+    /**
+     * Detect data exfiltration via markdown images with data-carrying query params.
+     */
+    private detectOutboundExfiltration;
+    /**
+     * Detect internal filesystem path leaks in outbound content.
+     */
+    private detectInternalPathLeaks;
+    /**
+     * Detect private IP addresses and localhost references in outbound content.
+     */
+    private detectPrivateNetworkLeaks;
+    /**
+     * Detect role markers / prompt template artifacts in outbound content.
+     * These should never appear in agent output — their presence indicates
+     * injection artifact survival.
+     */
+    private detectOutputRoleMarkers;
+    /**
+     * Detect base64 strings, base64url, and zero-width character evasion.
+     */
+    private detectEncodingEvasion;
+    /**
+     * Detect URLs and emails in fields that shouldn't have them.
+     */
+    private detectDataExfiltration;
+    /**
+     * Detect prompt stuffing: very large strings or high repetition.
+     */
+    private detectPromptStuffing;
+    /**
+     * Determine if this field is inherently safe from role override.
+     */
+    private isSafeField;
+    /**
+     * Determine if this is a tool name field (where tool refs are expected).
+     */
+    private isToolNameField;
+    /**
+     * Determine if this field is safe for URLs.
+     */
+    private isUrlSafeField;
+    /**
+     * Determine if this field is safe for emails.
+     */
+    private isEmailSafeField;
+    /**
+     * Determine if this field is safe for structured data (JSON/XML).
+     */
+    private isStructuredField;
+    /**
+     * SEC-032/SEC-034: Map common cross-script confusable characters to their
+     * Latin equivalents. NFKC normalization handles fullwidth and compatibility
+     * forms, but does NOT map Cyrillic/Greek/Armenian/Georgian lookalikes to
+     * Latin (they're distinct codepoints by design).
+     *
+     * Extended to 50+ confusable pairs covering Cyrillic, Greek, Armenian,
+     * Georgian, Cherokee, and mathematical/symbol lookalikes.
+     */
+    private normalizeConfusables;
+    /**
+     * Compute confidence score based on signals.
+     * More high-severity signals = higher confidence.
+     */
+    private computeConfidence;
+    /**
+     * Compute recommendation based on signals and sensitivity.
+     */
+    private computeRecommendation;
+    /**
+     * Get statistics about scans performed.
+     */
+    getStats(): {
+        total_scans: number;
+        total_flags: number;
+        total_blocks: number;
+        signals_by_type: Record<string, number>;
+    };
+    /**
+     * Reset statistics.
+     */
+    resetStats(): void;
 }
 
 /**
- * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types
+ * Sanctuary MCP Server — Approval Gate
  *
- * Machine-readable, signed, versioned sovereignty capability advertisement.
- * An agent presents its SHR to counterparties to prove its sovereignty posture.
- * The SHR is signed by one of the instance's Ed25519 identities and can be
- * independently verified by any party without trusting the presenter.
+ * The three-tier approval gate sits between the MCP router and tool handlers.
+ * Every tool call passes through the gate before execution.
  *
- * SHR version: 1.0
+ * Evaluation order:
+ * 1. Tier 1: Is this operation in the always-approve list? → Request approval.
+ * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.
+ * 3. Tier 3 / default: Allow with audit logging.
+ *
+ * Security invariants:
+ * - The gate cannot be bypassed — it wraps every tool handler.
+ * - Denial responses do not reveal policy details to the agent.
+ * - All gate decisions (approve, deny, allow) are audit-logged.
  */
-type LayerStatus = "active" | "degraded" | "inactive";
-type DegradationSeverity = "info" | "warning" | "critical";
-type DegradationCode = "NO_TEE" | "PROCESS_ISOLATION_ONLY" | "COMMITMENT_ONLY" | "NO_ZK_PROOFS" | "SELF_REPORTED_ATTESTATION" | "NO_SELECTIVE_DISCLOSURE" | "BASIC_SYBIL_ONLY";
-interface SHRLayerL1 {
-    status: LayerStatus;
-    encryption: string;
-    key_custody: "self" | "delegated" | "platform";
-    integrity: string;
-    identity_type: string;
-    state_portable: boolean;
-}
-interface SHRLayerL2 {
-    status: LayerStatus;
-    isolation_type: string;
-    attestation_available: boolean;
-    /** Model provenance: what inference model(s) power this agent */
-    model_provenance?: {
-        model_id: string;
-        model_name: string;
-        provider: string;
-        open_weights: boolean;
-        open_source: boolean;
-        local_inference: boolean;
-        weights_hash?: string;
-    };
-}
-interface SHRLayerL3 {
-    status: LayerStatus;
-    proof_system: string;
-    selective_disclosure: boolean;
-}
-interface SHRLayerL4 {
-    status: LayerStatus;
-    reputation_mode: string;
-    attestation_format: string;
-    reputation_portable: boolean;
-}
-interface SHRDegradation {
-    layer: "l1" | "l2" | "l3" | "l4";
-    code: DegradationCode;
-    severity: DegradationSeverity;
-    description: string;
-    mitigation?: string;
-}
-interface SHRCapabilities {
-    handshake: boolean;
-    shr_exchange: boolean;
-    reputation_verify: boolean;
-    encrypted_channel: boolean;
+
+/** Callback invoked when an injection is detected, for dashboard broadcasting */
+type InjectionAlertCallback = (alert: {
+    toolName: string;
+    result: DetectionResult;
+    timestamp: string;
+}) => void;
+/** Resolver for proxy tool tiers — provided by the ProxyRouter */
+type ProxyTierResolver = (toolName: string) => (1 | 2 | 3) | null;
+declare class ApprovalGate {
+    private policy;
+    private baseline;
+    private channel;
+    private auditLog;
+    private injectionDetector;
+    private onInjectionAlert?;
+    private proxyTierResolver?;
+    constructor(policy: PrincipalPolicy, baseline: BaselineTracker, channel: ApprovalChannel, auditLog: AuditLog, injectionDetector?: InjectionDetector, onInjectionAlert?: InjectionAlertCallback);
+    /**
+     * Set the proxy tier resolver. Called after the proxy router is initialized.
+     */
+    setProxyTierResolver(resolver: ProxyTierResolver): void;
+    /**
+     * Evaluate a tool call against the Principal Policy.
+     *
+     * @param toolName - Full MCP tool name (e.g., "state_export")
+     * @param args - Tool call arguments (for context extraction)
+     * @returns GateResult indicating whether the call is allowed
+     */
+    evaluate(toolName: string, args: Record<string, unknown>): Promise<GateResult>;
+    /**
+     * Detect Tier 2 behavioral anomalies.
+     */
+    private detectAnomaly;
+    /**
+     * Request approval from the human principal.
+     */
+    private requestApproval;
+    /**
+     * Summarize tool arguments for the approval prompt.
+     * Strips potentially large values to keep the prompt readable.
+     */
+    private summarizeArgs;
+    /** Get the baseline tracker for saving at session end */
+    getBaseline(): BaselineTracker;
+    /** Get the injection detector for stats/configuration access */
+    getInjectionDetector(): InjectionDetector;
 }
+
 /**
- * The SHR body — the content that gets signed.
- * Canonical form: JSON with sorted keys, no whitespace.
+ * Sanctuary MCP Server — Tool Router
+ *
+ * Routes sanctuary/* tool calls to their layer-specific handlers.
+ * Every tool call passes through schema validation and the ApprovalGate
+ * (if configured) before execution. Neither can be bypassed.
+ *
+ * This module is the abstraction boundary for MCP SDK version migration —
+ * if the SDK API changes, only this module needs updating.
  */
-interface SHRBody {
-    shr_version: "1.0";
-    implementation: {
-        sanctuary_version: string;
-        node_version: string;
-        generated_by: string;
-    };
-    instance_id: string;
-    generated_at: string;
-    expires_at: string;
-    layers: {
-        l1: SHRLayerL1;
-        l2: SHRLayerL2;
-        l3: SHRLayerL3;
-        l4: SHRLayerL4;
-    };
-    capabilities: SHRCapabilities;
-    degradations: SHRDegradation[];
+
+/** Tool handler function signature */
+type ToolHandler = (args: Record<string, unknown>) => Promise<{
+    content: Array<{
+        type: "text";
+        text: string;
+    }>;
+}>;
+/** Tool definition for registration */
+interface ToolDefinition {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    handler: ToolHandler;
 }
+
 /**
- * The complete signed SHR — body + signature envelope.
+ * Sanctuary MCP Server — AES-256-GCM Encryption
+ *
+ * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).
+ * This provides both confidentiality and integrity — a modified ciphertext will
+ * fail authentication, detecting tampering.
+ *
+ * Security invariants:
+ * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)
+ * - The 16-byte authentication tag is always verified on decryption
+ * - Keys are 256 bits (32 bytes)
  */
-interface SignedSHR {
-    body: SHRBody;
-    signed_by: string;
-    signature: string;
-}
-interface SHRVerificationResult {
-    valid: boolean;
-    errors: string[];
-    warnings: string[];
-    sovereignty_level: "full" | "degraded" | "minimal";
-    counterparty_id: string;
-    expires_at: string;
+/** Encrypted payload structure stored on disk */
+interface EncryptedPayload {
+    /** Format version */
+    v: number;
+    /** Algorithm identifier */
+    alg: "aes-256-gcm";
+    /** Initialization vector (base64url) */
+    iv: string;
+    /** Ciphertext (base64url) */
+    ct: string;
+    /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */
+    /** Timestamp */
+    ts: string;
 }
 
 /**
- * Sanctuary MCP Server — Sovereignty Handshake Types
+ * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore
  *
- * The sovereignty handshake is a mutual verification protocol between
- * two Sanctuary instances. Each party presents its SHR and proves
- * liveness via nonce challenge-response.
+ * The encrypted state store is the foundation of Sanctuary.
+ * Every read and write goes through here. All data is encrypted
+ * with namespace-specific keys. All writes are signed by an identity.
+ * All reads verify integrity via Merkle proofs.
  *
- * Protocol:
- *   A → B: HandshakeChallenge (A's SHR + nonce)
- *   B → A: HandshakeResponse (B's SHR + B's nonce + signature over A's nonce)
- *   A → B: HandshakeCompletion (signature over B's nonce)
- *   Result: Both hold a HandshakeResult with verified counterparty status
+ * Security invariants:
+ * - Plaintext never touches the filesystem
+ * - Every write gets a unique IV
+ * - Every write is signed (non-repudiation)
+ * - Monotonic version numbers prevent rollback
+ * - Merkle tree verifies namespace integrity
+ * - Secure deletion overwrites before unlinking
  */
 
-/** Trust tier derived from sovereignty handshake */
-type TrustTier = "verified-sovereign" | "verified-degraded" | "unverified";
-/** Sovereignty level from SHR assessment */
-type SovereigntyLevel = "full" | "degraded" | "minimal" | "unverified";
-/**
- * Step 1: Initiator sends challenge
- */
-interface HandshakeChallenge {
-    protocol_version: "1.0";
-    shr: SignedSHR;
-    nonce: string;
-    initiated_at: string;
-}
-/**
- * Step 2: Responder sends response
- */
-interface HandshakeResponse {
-    protocol_version: "1.0";
-    shr: SignedSHR;
-    responder_nonce: string;
-    initiator_nonce_signature: string;
-    responded_at: string;
+/** Result of a state write operation */
+interface WriteResult {
+    key: string;
+    namespace: string;
+    version: number;
+    merkle_root: string;
+    written_at: string;
+    size_bytes: number;
+    integrity_hash: string;
 }
-/**
- * Step 3: Initiator sends completion
- */
-interface HandshakeCompletion {
-    protocol_version: "1.0";
-    responder_nonce_signature: string;
-    completed_at: string;
+/** Result of a state read operation */
+interface ReadResult {
+    key: string;
+    namespace: string;
+    value: string;
+    version: number;
+    integrity_verified: boolean;
+    merkle_proof: string[];
+    written_at: string;
+    written_by: string;
 }
-/**
- * Final result: both parties hold this after a successful handshake
- */
-interface HandshakeResult {
-    counterparty_id: string;
-    counterparty_shr: SignedSHR;
-    verified: boolean;
-    sovereignty_level: SovereigntyLevel;
-    trust_tier: TrustTier;
-    completed_at: string;
-    expires_at: string;
-    errors: string[];
+/** Options for state write */
+interface WriteOptions {
+    content_type?: string;
+    ttl_seconds?: number;
+    tags?: string[];
 }
-/**
- * In-progress handshake state (stored on initiator side)
- */
-interface HandshakeSession {
-    session_id: string;
-    role: "initiator" | "responder";
-    state: "initiated" | "responded" | "completed" | "failed";
-    our_nonce: string;
-    their_nonce?: string;
-    our_shr: SignedSHR;
-    their_shr?: SignedSHR;
-    initiated_at: string;
-    result?: HandshakeResult;
+declare class StateStore {
+    private storage;
+    private masterKey;
+    private versionCache;
+    private contentHashes;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
+    private versionKey;
+    /**
+     * Get or initialize the content hash map for a namespace.
+     */
+    private getNamespaceHashes;
+    /**
+     * Write encrypted state.
+     *
+     * @param namespace - Logical grouping
+     * @param key - State key
+     * @param value - Plaintext value (will be encrypted)
+     * @param identityId - Identity performing the write
+     * @param encryptedPrivateKey - Identity's encrypted private key (for signing)
+     * @param identityEncryptionKey - Key to decrypt the identity's private key
+     * @param options - Optional metadata
+     */
+    write(namespace: string, key: string, value: string, identityId: string, encryptedPrivateKey: EncryptedPayload, identityEncryptionKey: Uint8Array, options?: WriteOptions): Promise<WriteResult>;
+    /**
+     * Read and decrypt state.
+     *
+     * @param namespace - Logical grouping
+     * @param key - State key
+     * @param signerPublicKey - Expected signer's public key (for signature verification)
+     * @param verifyIntegrity - Whether to verify Merkle proof (default: true)
+     */
+    read(namespace: string, key: string, signerPublicKey?: Uint8Array, verifyIntegrity?: boolean): Promise<ReadResult | null>;
+    /**
+     * List keys in a namespace (metadata only — no decryption).
+     */
+    list(namespace: string, prefix?: string, tags?: string[], limit?: number, offset?: number): Promise<{
+        keys: Array<{
+            key: string;
+            version: number;
+            size_bytes: number;
+            written_at: string;
+            tags: string[];
+        }>;
+        total: number;
+        merkle_root: string;
+    }>;
+    /**
+     * Securely delete state (overwrite with random bytes before removal).
+     */
+    delete(namespace: string, key: string): Promise<{
+        deleted: boolean;
+        key: string;
+        namespace: string;
+        new_merkle_root: string;
+        deleted_at: string;
+    }>;
+    /**
+     * Export all state for a namespace as an encrypted bundle.
+     */
+    export(namespace?: string): Promise<{
+        bundle: string;
+        namespaces: string[];
+        total_keys: number;
+        bundle_hash: string;
+        exported_at: string;
+    }>;
+    /**
+     * Import a previously exported state bundle.
+     */
+    import(bundleBase64: string, conflictResolution: "skip" | "overwrite" | "version" | undefined, publicKeyResolver: (kid: string) => Uint8Array | null): Promise<{
+        imported_keys: number;
+        skipped_keys: number;
+        skipped_invalid_sig: number;
+        skipped_unknown_kid: number;
+        conflicts: number;
+        namespaces: string[];
+        imported_at: string;
+    }>;
 }
 
 /**
- * Sanctuary MCP Server — Sovereignty-Gated Reputation Tiers
- *
- * Attestations carry a sovereignty_tier field reflecting the signer's
- * sovereignty posture at the time of recording. When querying or evaluating
- * reputation, attestations from verified-sovereign agents carry more weight
- * than those from unverified agents.
+ * Sanctuary MCP Server — Ed25519 Identity Management
  *
- * Tier hierarchy (descending credibility):
- *   1. "verified-sovereign"  — signer completed a handshake with full sovereignty
- *   2. "verified-degraded"   — signer completed a handshake with degraded sovereignty
- *   3. "self-attested"       — signer has a Sanctuary identity but no handshake verification
- *   4. "unverified"          — no Sanctuary identity or sovereignty proof
+ * Sovereign identity based on Ed25519 keypairs.
+ * Private keys are always encrypted at rest — never stored in plaintext.
  *
- * Weight multipliers are applied during reputation scoring. They are NOT
- * gatekeeping — unverified attestations still count, just less.
+ * Security invariants:
+ * - Private keys never appear in any MCP tool response
+ * - Private keys are encrypted with identity-specific keys derived from the master key
+ * - Key rotation produces a signed rotation event (verifiable chain)
  */
 
-type SovereigntyTier = "verified-sovereign" | "verified-degraded" | "self-attested" | "unverified";
-/** Weight multipliers for each tier */
-declare const TIER_WEIGHTS: Record<SovereigntyTier, number>;
-/** Tier metadata embedded in attestations */
-interface TierMetadata {
-    sovereignty_tier: SovereigntyTier;
-    /** If verified, the handshake that established it */
-    handshake_completed_at?: string;
-    /** Counterparty ID from handshake (if applicable) */
-    verified_by?: string;
+/** Public identity information (safe to share) */
+interface PublicIdentity {
+    identity_id: string;
+    label: string;
+    public_key: string;
+    did: string;
+    created_at: string;
+    key_type: "ed25519";
+    key_protection: "passphrase" | "hardware-key" | "recovery-key";
 }
-/**
- * Resolve the sovereignty tier for a counterparty based on handshake history.
- *
- * @param counterpartyId - The counterparty's instance ID
- * @param handshakeResults - Map of counterparty ID → most recent handshake result
- * @param hasSanctuaryIdentity - Whether the counterparty has a known Sanctuary identity
- * @returns TierMetadata for embedding in attestations
- */
-declare function resolveTier(counterpartyId: string, handshakeResults: Map<string, HandshakeResult>, hasSanctuaryIdentity: boolean): TierMetadata;
-/** An attestation with its tier for weighted scoring */
-interface TieredAttestation {
-    /** The raw metric value */
-    value: number;
-    /** The sovereignty tier of the attestation signer */
-    tier: SovereigntyTier;
+/** Stored identity (private key is encrypted) */
+interface StoredIdentity extends PublicIdentity {
+    encrypted_private_key: EncryptedPayload;
+    /** Previous public keys (for rotation chain verification) */
+    rotation_history: Array<{
+        old_public_key: string;
+        new_public_key: string;
+        rotation_event: string;
+        rotated_at: string;
+    }>;
 }
-/**
- * Compute a weighted reputation score from tiered attestations.
- *
- * Each attestation's contribution is multiplied by its tier weight.
- * The result is normalized by total weight (not count), so adding
- * low-tier attestations doesn't dilute high-tier ones.
- *
- * @param attestations - Array of value + tier pairs
- * @returns Weighted score, or null if no attestations
- */
-declare function computeWeightedScore(attestations: TieredAttestation[]): number | null;
-/**
- * Compute a tier distribution summary for a set of attestations.
- */
-declare function tierDistribution(tiers: SovereigntyTier[]): Record<SovereigntyTier, number>;
 
 /**
- * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store
- *
- * Records interaction outcomes as signed attestations, queries aggregated
- * reputation data, and supports export/import for cross-platform portability.
- *
- * Attestation format is EAS-compatible (Ethereum Attestation Service) to
- * enable future on-chain anchoring without requiring blockchain for MVS.
+ * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions
  *
- * Security invariants:
- * - All attestations are signed by the recording identity
- * - Attestations are stored encrypted under L1 sovereignty
- * - Reputation queries return aggregates, never raw interaction data
- * - Export bundles include all signatures for independent verification
- * - Import verifies every signature before accepting attestations
+ * MCP tool wrappers for StateStore and IdentityRoot operations.
+ * These tools are the public API that agents interact with.
  */
 
-/** Interaction outcome for recording */
-interface InteractionOutcome {
-    type: "transaction" | "negotiation" | "service" | "dispute" | "custom";
-    result: "completed" | "partial" | "failed" | "disputed";
-    metrics?: Record<string, number>;
-}
-/** A signed attestation of an interaction */
-interface Attestation {
-    attestation_id: string;
-    schema: "sanctuary-interaction-v1";
-    data: {
-        interaction_id: string;
-        participant_did: string;
-        counterparty_did: string;
-        outcome_type: string;
-        outcome_result: string;
-        metrics: Record<string, number>;
-        context: string;
-        timestamp: string;
-        /** Sovereignty tier of the signer at time of recording */
-        sovereignty_tier?: SovereigntyTier;
-    };
-    signature: string;
-    signer: string;
-}
-/** Stored attestation (encrypted at rest) */
-interface StoredAttestation {
-    attestation: Attestation;
-    counterparty_attestation?: string;
-    counterparty_confirmed: boolean;
-    recorded_at: string;
-}
-/** Aggregated metric statistics */
-interface MetricAggregate {
-    mean: number;
-    median: number;
-    min: number;
-    max: number;
-    count: number;
-}
-/** Reputation query result */
-interface ReputationSummary {
-    total_interactions: number;
-    completed: number;
-    partial: number;
-    failed: number;
-    disputed: number;
-    contexts: string[];
-    time_range: {
-        start: string;
-        end: string;
-    };
-    aggregate_metrics: Record<string, MetricAggregate>;
-}
-/** Portable reputation bundle */
-interface ReputationBundle {
-    version: "SANCTUARY_REP_V1";
-    attestations: Attestation[];
-    exported_at: string;
-    exporter_did: string;
-    bundle_signature: string;
-}
-/** Escrow for trust bootstrapping */
-interface Escrow {
-    escrow_id: string;
-    transaction_terms: string;
-    terms_hash: string;
-    collateral_amount?: number;
-    counterparty_did: string;
-    creator_did: string;
-    created_at: string;
-    expires_at: string;
-    status: "pending" | "active" | "released" | "disputed" | "expired";
-}
-/** Principal guarantee for a new agent */
-interface Guarantee {
-    guarantee_id: string;
-    principal_did: string;
-    agent_did: string;
-    scope: string;
-    max_liability?: number;
-    valid_until: string;
-    certificate: string;
-    created_at: string;
-}
-declare class ReputationStore {
+/** Manages all identities — provides storage and retrieval */
+declare class IdentityManager {
     private storage;
-    private encryptionKey;
+    private masterKey;
+    private identities;
+    private primaryIdentityId;
+    private metadataKey;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
-    /**
-     * Record an interaction outcome as a signed attestation.
-     */
-    record(interactionId: string, counterpartyDid: string, outcome: InteractionOutcome, context: string, identity: StoredIdentity, identityEncryptionKey: Uint8Array, counterpartyAttestation?: string, sovereigntyTier?: SovereigntyTier): Promise<StoredAttestation>;
-    /**
-     * Query reputation data with filtering.
-     * Returns aggregates only — not raw interaction data.
-     */
-    query(options: {
-        context?: string;
-        time_range?: {
-            start: string;
-            end: string;
-        };
-        metrics?: string[];
-        counterparty_did?: string;
-    }): Promise<ReputationSummary>;
-    /**
-     * Export attestations as a portable reputation bundle.
-     */
-    exportBundle(identity: StoredIdentity, identityEncryptionKey: Uint8Array, context?: string): Promise<ReputationBundle>;
-    /**
-     * Import attestations from a reputation bundle.
-     * Verifies signatures if requested (default: true).
-     *
-     * @param publicKeys - Map of DID → public key bytes for signature verification
+    private get encryptionKey();
+    /** Load identities from storage on startup.
+     *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
+     *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
      */
-    importBundle(bundle: ReputationBundle, verifySignatures: boolean, publicKeys: Map<string, Uint8Array>): Promise<{
-        imported: number;
-        invalid: number;
-        contexts: string[];
+    load(): Promise<{
+        total: number;
+        loaded: number;
+        failed: number;
     }>;
+    /** Save an identity to storage */
+    save(identity: StoredIdentity): Promise<void>;
+    /** Set which identity is the default/primary identity */
+    setPrimary(identityId: string): Promise<boolean>;
+    /** Persist the primary identity ID to storage */
+    private savePrimaryIdentityId;
+    get(id: string): StoredIdentity | undefined;
+    getDefault(): StoredIdentity | undefined;
+    getPrimaryIdentityId(): string | null;
+    list(): PublicIdentity[];
+}
+
+/**
+ * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes
+ *
+ * Cryptographic commitments allow an agent to commit to a value
+ * without revealing it, then later prove what was committed.
+ *
+ * This is the MVS approach to selective disclosure — simpler than
+ * full ZK proofs but still cryptographically sound. The commitment
+ * is SHA-256(value || blinding_factor), which is:
+ * - Hiding: the commitment reveals nothing about the value
+ * - Binding: the committer cannot change the value after committing
+ *
+ * Security invariants:
+ * - Blinding factors are cryptographically random (32 bytes)
+ * - Commitments are stored encrypted under L1 sovereignty
+ * - Revealed values are verified via constant-time comparison
+ */
+
+/** A cryptographic commitment */
+interface Commitment {
+    /** The commitment hash: SHA-256(value || blinding_factor) as base64url */
+    commitment: string;
+    /** The blinding factor (must be stored securely for later reveal) */
+    blinding_factor: string;
+    /** When the commitment was created */
+    committed_at: string;
+}
+/** Stored commitment metadata (encrypted at rest) */
+interface StoredCommitment {
+    commitment: string;
+    blinding_factor: string;
+    value: string;
+    committed_at: string;
+    revealed: boolean;
+    revealed_at?: string;
+}
+/**
+ * Commitment store — manages commitments encrypted under L1 sovereignty.
+ */
+declare class CommitmentStore {
+    private storage;
+    private encryptionKey;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Create an escrow for trust bootstrapping.
-     */
-    createEscrow(transactionTerms: string, counterpartyDid: string, timeoutSeconds: number, creatorDid: string, collateralAmount?: number): Promise<Escrow>;
-    /**
-     * Get an escrow by ID.
+     * Store a commitment (encrypted) for later reference.
      */
-    getEscrow(escrowId: string): Promise<Escrow | null>;
+    store(commitment: Commitment, value: string): Promise<string>;
     /**
-     * Create a principal's guarantee for a new agent.
+     * Retrieve a stored commitment by ID.
      */
-    createGuarantee(principalIdentity: StoredIdentity, agentDid: string, scope: string, durationSeconds: number, identityEncryptionKey: Uint8Array, maxLiability?: number): Promise<Guarantee>;
+    get(id: string): Promise<StoredCommitment | null>;
     /**
-     * Load attestations for tier-weighted scoring.
-     * Applies basic context/counterparty filtering, returns full StoredAttestations
-     * so callers can access sovereignty_tier from attestation data.
+     * Mark a commitment as revealed.
      */
-    loadAllForTierScoring(options?: {
-        context?: string;
-        counterparty_did?: string;
-    }): Promise<StoredAttestation[]>;
-    private loadAll;
+    markRevealed(id: string): Promise<void>;
 }
 
 /**
- * Sanctuary MCP Server — Federation Types
+ * Sanctuary MCP Server — L3 Selective Disclosure: Zero-Knowledge Proofs
  *
- * MCP-to-MCP federation enables two Sanctuary instances to:
- *   1. Discover each other's capabilities (SIM exchange)
- *   2. Establish mutual trust (sovereignty handshake)
- *   3. Exchange signed reputation attestations
- *   4. Evaluate trust for cross-instance interactions
+ * Upgrades the commitment-only L3 to support real zero-knowledge proofs.
+ * Uses Ristretto255 (prime-order curve group, no cofactor issues) for:
  *
- * Federation operates as a protocol layer atop the handshake:
- *   Handshake establishes trust → Federation uses that trust for ongoing operations.
+ *   1. Pedersen commitments: C = v*G + b*H (computationally hiding, perfectly binding)
+ *   2. ZK proof of knowledge: Schnorr sigma protocol via Fiat-Shamir
+ *   3. ZK range proofs: Prove value ∈ [min, max] without revealing it
  *
- * Key constraint: Federation MUST respect each party's sovereignty.
- * Neither party can compel the other to share data they haven't disclosed
- * via their disclosure policy.
+ * Ristretto255 is available via @noble/curves/ed25519, which we already depend on.
+ * This is genuine zero-knowledge — proofs reveal nothing beyond the stated property.
+ *
+ * Architecture note:
+ * The existing commitment scheme (SHA-256 based) remains available for backward
+ * compatibility. The ZK proofs operate on a separate Pedersen commitment system
+ * that provides algebraic structure for proper ZK properties.
+ *
+ * Security invariants:
+ * - Generator H is derived via hash-to-curve (nothing-up-my-sleeve)
+ * - Blinding factors are cryptographically random (32 bytes)
+ * - Fiat-Shamir challenges use domain-separated hashing
+ * - Range proofs use a bit-decomposition approach (sound but logarithmic size)
  */
-
-/** A known federation peer */
-interface FederationPeer {
-    /** The peer's instance ID (from their SHR) */
-    peer_id: string;
-    /** The peer's DID (identity) */
-    peer_did: string;
-    /** When this peer was first seen */
-    first_seen: string;
-    /** When last handshake completed */
-    last_handshake: string;
-    /** Current trust tier from most recent handshake */
-    trust_tier: SovereigntyTier;
-    /** Handshake result (for tier resolution) */
-    handshake_result: HandshakeResult;
-    /** Peer's advertised capabilities (from their SIM) */
-    capabilities: FederationCapabilities;
-    /** Whether we have a valid (non-expired) handshake */
-    active: boolean;
+/** A Pedersen commitment: C = v*G + b*H */
+interface PedersenCommitment {
+    /** The commitment point (encoded as base64url) */
+    commitment: string;
+    /** The blinding factor b (base64url, 32 bytes) — keep secret */
+    blinding_factor: string;
+    /** When the commitment was created */
+    committed_at: string;
 }
-/** Capabilities a peer advertises for federation */
-interface FederationCapabilities {
-    /** Whether the peer supports reputation exchange */
-    reputation_exchange: boolean;
-    /** Whether the peer supports mutual attestation */
-    mutual_attestation: boolean;
-    /** Whether the peer supports encrypted channels */
-    encrypted_channel: boolean;
-    /** Supported attestation formats */
-    attestation_formats: string[];
+/** A non-interactive ZK proof of knowledge of a commitment's opening */
+interface ZKProofOfKnowledge {
+    /** Proof type identifier */
+    type: "schnorr-pedersen-ristretto255";
+    /** The commitment this proof is for */
+    commitment: string;
+    /** Announcement point R (base64url) */
+    announcement: string;
+    /** Response scalar s_v (base64url) */
+    response_v: string;
+    /** Response scalar s_b (base64url) */
+    response_b: string;
+    /** Proof generated at */
+    generated_at: string;
 }
-/** Trust evaluation result for a federation peer */
-interface PeerTrustEvaluation {
-    peer_id: string;
-    /** Current sovereignty tier (from handshake) */
-    sovereignty_tier: SovereigntyTier;
-    /** Whether handshake is current (not expired) */
-    handshake_current: boolean;
-    /** Reputation summary (if available) */
-    reputation_score?: number;
-    /** How many mutual attestations we share */
-    mutual_attestation_count: number;
-    /** Overall trust assessment */
-    trust_level: "high" | "medium" | "low" | "none";
-    /** Reasoning for the assessment */
-    factors: string[];
-    /** Evaluated at */
-    evaluated_at: string;
+/** A ZK range proof: proves value ∈ [min, max] */
+interface ZKRangeProof {
+    /** Proof type identifier */
+    type: "range-pedersen-ristretto255";
+    /** The commitment this proof is for */
+    commitment: string;
+    /** Minimum value (inclusive) */
+    min: number;
+    /** Maximum value (inclusive) */
+    max: number;
+    /** Bit commitments for the shifted value (v - min) */
+    bit_commitments: string[];
+    /** Proofs that each bit commitment is 0 or 1 */
+    bit_proofs: Array<{
+        announcement_0: string;
+        announcement_1: string;
+        challenge_0: string;
+        challenge_1: string;
+        response_0: string;
+        response_1: string;
+    }>;
+    /** Sum proof: bit commitments sum to the value commitment */
+    sum_proof: {
+        announcement: string;
+        response: string;
+    };
+    /** Proof generated at */
+    generated_at: string;
 }
-
 /**
- * Sanctuary MCP Server — Federation Peer Registry
+ * Create a Pedersen commitment to a numeric value.
  *
- * Manages known federation peers. Peers are discovered through handshakes
- * and tracked for ongoing federation operations.
+ * C = v*G + b*H
  *
- * The registry is the source of truth for:
- * - Who we've federated with
- * - Current trust status of each peer
- * - Peer capabilities (what operations they support)
+ * Properties:
+ * - Computationally hiding (under discrete log assumption)
+ * - Perfectly binding (information-theoretic)
+ * - Homomorphic: C(v1) + C(v2) = C(v1+v2) with adjusted blinding
  *
- * Security invariants:
- * - Peers are ONLY added through completed handshakes (not self-registration)
- * - Trust tiers degrade automatically when handshakes expire
- * - Peer data is stored encrypted under L1 sovereignty
+ * @param value - The value to commit to (integer)
+ * @returns The commitment and blinding factor
  */
-
-declare class FederationRegistry {
-    private peers;
-    /**
-     * Register or update a peer from a completed handshake.
-     * This is the ONLY way peers enter the registry.
-     */
-    registerFromHandshake(result: HandshakeResult, peerDid: string, capabilities?: Partial<FederationCapabilities>): FederationPeer;
-    /**
-     * Get a peer by instance ID.
-     * Automatically updates active status based on handshake expiry.
-     */
-    getPeer(peerId: string): FederationPeer | null;
-    /**
-     * List all known peers, optionally filtered by status.
-     */
-    listPeers(filter?: {
-        active_only?: boolean;
-    }): FederationPeer[];
-    /**
-     * Evaluate trust for a federation peer.
-     *
-     * Trust assessment considers:
-     * - Handshake status (current vs expired)
-     * - Sovereignty tier (verified-sovereign vs degraded vs unverified)
-     * - Reputation data (if available)
-     * - Mutual attestation history
-     */
-    evaluateTrust(peerId: string, mutualAttestationCount?: number, reputationScore?: number): PeerTrustEvaluation;
-    /**
-     * Remove a peer from the registry.
-     */
-    removePeer(peerId: string): boolean;
-    /**
-     * Get the handshake results map (for tier resolution integration).
-     */
-    getHandshakeResults(): Map<string, HandshakeResult>;
-}
-
+declare function createPedersenCommitment(value: number): PedersenCommitment;
+/**
+ * Verify a Pedersen commitment against a revealed value and blinding factor.
+ *
+ * Recomputes C' = v*G + b*H and checks C' == C.
+ */
+declare function verifyPedersenCommitment(commitment: string, value: number, blindingFactor: string): boolean;
+/**
+ * Create a non-interactive ZK proof that you know the opening (v, b)
+ * of a Pedersen commitment C = v*G + b*H.
+ *
+ * Schnorr sigma protocol with Fiat-Shamir transform:
+ *   1. Pick random r_v, r_b
+ *   2. Compute R = r_v*G + r_b*H (announcement)
+ *   3. Compute e = H_FS(C || R) (challenge via Fiat-Shamir)
+ *   4. Compute s_v = r_v + e*v, s_b = r_b + e*b (responses)
+ *   5. Proof = (R, s_v, s_b)
+ *
+ * Zero-knowledge: the transcript (R, e, s_v, s_b) can be simulated
+ * without knowing (v, b), so it reveals nothing.
+ *
+ * @param value - The committed value
+ * @param blindingFactor - The blinding factor (base64url)
+ * @param commitment - The commitment (base64url)
+ */
+declare function createProofOfKnowledge(value: number, blindingFactor: string, commitment: string): ZKProofOfKnowledge;
 /**
- * Sanctuary MCP Server — L2 Operational Isolation: Context Gating
+ * Verify a ZK proof of knowledge of a commitment's opening.
  *
- * Context gating controls what information leaves the sovereignty boundary
- * when an agent makes outbound calls — especially inference calls to remote
- * LLM providers. This is the "minimum-necessary context" enforcement layer.
+ * Check: s_v*G + s_b*H == R + e*C
+ */
+declare function verifyProofOfKnowledge(proof: ZKProofOfKnowledge): boolean;
+/**
+ * Create a ZK range proof: prove value ∈ [min, max] without revealing value.
  *
- * The problem: When an agent sends a request to a remote LLM provider (Claude,
- * GPT, etc.), most harnesses send the agent's full context — conversation
- * history, memory, tool results, preferences, internal reasoning. The agent
- * has no control over what the provider sees.
+ * Approach: bit-decomposition of (value - min) into n bits where 2^n > max - min.
+ * Each bit gets a Pedersen commitment and a proof it's 0 or 1.
+ * A sum proof shows the bit commitments reconstruct the original commitment
+ * (shifted by min).
  *
- * Context gating lets the agent define:
- * - Provider categories (inference, tool-api, logging, analytics, etc.)
- * - What fields/categories of context may flow to each provider type
- * - What must always be redacted (secrets, internal reasoning, PII, etc.)
- * - What requires transformation (hashing, summarizing, anonymizing)
+ * @param value - The committed value
+ * @param blindingFactor - The blinding factor (base64url)
+ * @param commitment - The commitment (base64url)
+ * @param min - Minimum value (inclusive)
+ * @param max - Maximum value (inclusive)
+ */
+declare function createRangeProof(value: number, blindingFactor: string, commitment: string, min: number, max: number): ZKRangeProof | {
+    error: string;
+};
+/**
+ * Verify a ZK range proof.
+ */
+declare function verifyRangeProof(proof: ZKRangeProof): boolean;
+
+/**
+ * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies
  *
- * This sits in L2 (Operational Isolation) because it controls information
- * flow at the execution boundary. L3 (Selective Disclosure) handles agent-
- * to-agent trust negotiation with cryptographic proofs; context gating
- * handles agent-to-infrastructure information flow.
+ * Disclosure policies define what an agent will and will not disclose
+ * in different interaction contexts. Policies are evaluated against
+ * incoming disclosure requests to produce per-field decisions.
+ *
+ * This is the agent's "privacy preferences" layer — it codifies the
+ * human principal's intent about what information can flow where.
  *
  * Security invariants:
- * - Redact rules take absolute priority (like withhold in L3)
  * - Policies are stored encrypted under L1 sovereignty
- * - Every filter operation is audit-logged with a content hash
- *   (what was sent, what was redacted — without storing the content itself)
- * - Default policy: redact everything not explicitly allowed
+ * - Default action is always "withhold" unless explicitly overridden
+ * - Policy evaluation is deterministic (same request → same decision)
  */
 
-/** Provider categories that context may flow to */
-type ProviderCategory = "inference" | "tool-api" | "logging" | "analytics" | "peer-agent" | "custom";
-/** Actions that can be taken on a context field */
-type ContextAction = "allow" | "redact" | "hash" | "summarize" | "deny";
-/** A rule within a context-gating policy */
-interface ContextGateRule {
-    /** Provider category this rule applies to */
-    provider: ProviderCategory | "*";
-    /** Fields/patterns that may pass through */
-    allow: string[];
-    /** Fields/patterns that must be redacted (highest priority) */
-    redact: string[];
-    /** Fields/patterns that should be hashed */
-    hash: string[];
-    /** Fields/patterns that should be summarized (advisory) */
-    summarize: string[];
+/** A single disclosure rule within a policy */
+interface DisclosureRule {
+    /** Interaction context this rule applies to */
+    context: string;
+    /** Fields/claims the agent MAY disclose */
+    disclose: string[];
+    /** Fields/claims the agent MUST NOT disclose */
+    withhold: string[];
+    /** Fields that require proof rather than plain disclosure */
+    proof_required: string[];
 }
-/** A complete context-gating policy */
-interface ContextGatePolicy {
+/** A complete disclosure policy */
+interface DisclosurePolicy {
     policy_id: string;
     policy_name: string;
-    rules: ContextGateRule[];
-    /** Default action when no rule matches a field */
-    default_action: "redact" | "deny";
-    /** Identity this policy is bound to (optional) */
+    rules: DisclosureRule[];
+    default_action: "withhold" | "ask-principal";
     identity_id?: string;
     created_at: string;
     updated_at: string;
 }
-/** Result of filtering a single field */
-interface FieldFilterResult {
-    field: string;
-    action: ContextAction;
-    reason: string;
-    /** If action is "hash", contains the hash */
-    hash_value?: string;
-}
-/** Result of a full context filter operation */
-interface ContextFilterResult {
-    policy_id: string;
-    provider: ProviderCategory | string;
-    fields_allowed: number;
-    fields_redacted: number;
-    fields_hashed: number;
-    fields_summarized: number;
-    fields_denied: number;
-    decisions: FieldFilterResult[];
-    /** SHA-256 hash of the original context (for audit trail) */
-    original_context_hash: string;
-    /** SHA-256 hash of the filtered output (for audit trail) */
-    filtered_context_hash: string;
-    filtered_at: string;
-}
-/**
- * Evaluate a context field against a policy for a given provider.
- *
- * Priority order (same as L3 disclosure):
- * 1. Redact (blocks — highest priority)
- * 2. Deny (blocks entire request)
- * 3. Hash (transforms)
- * 4. Summarize (advisory transform)
- * 5. Allow (passes through)
- * 6. Default action
- */
-declare function evaluateField(policy: ContextGatePolicy, provider: ProviderCategory | string, field: string): FieldFilterResult;
-/**
- * Filter a full context object against a policy for a given provider.
- * Returns per-field decisions and content hashes for the audit trail.
- */
-declare function filterContext(policy: ContextGatePolicy, provider: ProviderCategory | string, context: Record<string, unknown>): ContextFilterResult;
 /**
- * Context gate policy store — encrypted under L1 sovereignty.
+ * Policy store — manages disclosure policies encrypted under L1 sovereignty.
  */
-declare class ContextGatePolicyStore {
+declare class PolicyStore {
     private storage;
     private encryptionKey;
     private policies;
     constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Create and store a new context-gating policy.
+     * Create and store a new disclosure policy.
      */
-    create(policyName: string, rules: ContextGateRule[], defaultAction: "redact" | "deny", identityId?: string): Promise<ContextGatePolicy>;
+    create(policyName: string, rules: DisclosureRule[], defaultAction: "withhold" | "ask-principal", identityId?: string): Promise<DisclosurePolicy>;
     /**
      * Get a policy by ID.
      */
-    get(policyId: string): Promise<ContextGatePolicy | null>;
+    get(policyId: string): Promise<DisclosurePolicy | null>;
     /**
-     * List all context-gating policies.
+     * List all policies.
      */
-    list(): Promise<ContextGatePolicy[]>;
+    list(): Promise<DisclosurePolicy[]>;
     /**
      * Load all persisted policies into memory.
      */
@@ -1272,736 +1174,871 @@ declare class ContextGatePolicyStore {
 }
 
 /**
- * Sanctuary MCP Server — L2 Context Gating: Starter Policy Templates
- *
- * Pre-built policies for common use cases. These are starting points —
- * users should customize them for their specific context structure.
- *
- * Templates:
- *
- *   inference-minimal
- *     Only the current task and query reach the LLM. Everything else
- *     is redacted. Secrets, PII, memory, reasoning, and history are
- *     all blocked. IDs are hashed. Maximum privacy, minimum context.
- *
- *   inference-standard
- *     Task, query, and tool results pass through. Conversation history
- *     is flagged for summarization (compress before sending). Secrets,
- *     PII, and internal reasoning are redacted. IDs are hashed.
- *     Balanced: the LLM has enough context to be useful without seeing
- *     everything the agent knows.
+ * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types
  *
- *   logging-strict
- *     Redacts everything for logging/analytics providers. Only
- *     operation names and timestamps pass through. Use this for
- *     telemetry services where you want usage metrics without
- *     content exposure.
+ * Machine-readable, signed, versioned sovereignty capability advertisement.
+ * An agent presents its SHR to counterparties to prove its sovereignty posture.
+ * The SHR is signed by one of the instance's Ed25519 identities and can be
+ * independently verified by any party without trusting the presenter.
  *
- *   tool-api-scoped
- *     Allows tool-specific parameters and the current task, redacts
- *     memory, history, secrets, and PII. Hashes IDs. For outbound
- *     calls to external APIs (search, database, etc.) where you need
- *     to send query parameters but not your agent's full state.
+ * SHR version: 1.0
+ */
+type LayerStatus = "active" | "degraded" | "inactive";
+type DegradationSeverity = "info" | "warning" | "critical";
+type DegradationCode = "NO_TEE" | "PROCESS_ISOLATION_ONLY" | "COMMITMENT_ONLY" | "NO_ZK_PROOFS" | "SELF_REPORTED_ATTESTATION" | "NO_SELECTIVE_DISCLOSURE" | "BASIC_SYBIL_ONLY";
+interface SHRLayerL1 {
+    status: LayerStatus;
+    encryption: string;
+    key_custody: "self" | "delegated" | "platform";
+    integrity: string;
+    identity_type: string;
+    state_portable: boolean;
+}
+interface SHRLayerL2 {
+    status: LayerStatus;
+    isolation_type: string;
+    attestation_available: boolean;
+    /** Model provenance: what inference model(s) power this agent */
+    model_provenance?: {
+        model_id: string;
+        model_name: string;
+        provider: string;
+        open_weights: boolean;
+        open_source: boolean;
+        local_inference: boolean;
+        weights_hash?: string;
+    };
+}
+interface SHRLayerL3 {
+    status: LayerStatus;
+    proof_system: string;
+    selective_disclosure: boolean;
+}
+interface SHRLayerL4 {
+    status: LayerStatus;
+    reputation_mode: string;
+    attestation_format: string;
+    reputation_portable: boolean;
+}
+interface SHRDegradation {
+    layer: "l1" | "l2" | "l3" | "l4";
+    code: DegradationCode;
+    severity: DegradationSeverity;
+    description: string;
+    mitigation?: string;
+}
+interface SHRCapabilities {
+    handshake: boolean;
+    shr_exchange: boolean;
+    reputation_verify: boolean;
+    encrypted_channel: boolean;
+}
+/**
+ * The SHR body — the content that gets signed.
+ * Canonical form: JSON with sorted keys, no whitespace.
+ */
+interface SHRBody {
+    shr_version: "1.0";
+    implementation: {
+        sanctuary_version: string;
+        node_version: string;
+        generated_by: string;
+    };
+    instance_id: string;
+    generated_at: string;
+    expires_at: string;
+    layers: {
+        l1: SHRLayerL1;
+        l2: SHRLayerL2;
+        l3: SHRLayerL3;
+        l4: SHRLayerL4;
+    };
+    capabilities: SHRCapabilities;
+    degradations: SHRDegradation[];
+}
+/**
+ * The complete signed SHR — body + signature envelope.
  */
-
-/** A template definition ready to be applied via the policy store */
-interface ContextGateTemplate {
-    /** Machine-readable template ID */
-    id: string;
-    /** Human-readable name */
-    name: string;
-    /** One-line description */
-    description: string;
-    /** When to use this template */
-    use_when: string;
-    /** The rules that make up this template */
-    rules: ContextGateRule[];
-    /** Default action for unmatched fields */
-    default_action: "redact" | "deny";
+interface SignedSHR {
+    body: SHRBody;
+    signed_by: string;
+    signature: string;
+}
+interface SHRVerificationResult {
+    valid: boolean;
+    errors: string[];
+    warnings: string[];
+    sovereignty_level: "full" | "degraded" | "minimal";
+    counterparty_id: string;
+    expires_at: string;
 }
-/** All available templates, keyed by ID */
-declare const TEMPLATES: Record<string, ContextGateTemplate>;
-/** List all available template IDs */
-declare function listTemplateIds(): string[];
-/** Get a template by ID (returns undefined if not found) */
-declare function getTemplate(id: string): ContextGateTemplate | undefined;
 
 /**
- * Sanctuary MCP Server — L2 Context Gating: Policy Recommendation Engine
- *
- * Analyzes a sample context object and recommends a context-gating policy
- * based on field name heuristics. The agent (or human) can then review,
- * adjust, and apply the recommendation.
- *
- * This is deliberately conservative: when in doubt, it recommends redact.
- * A false redaction is a usability issue; a false allow is a privacy leak.
+ * Sanctuary MCP Server — Sovereignty Handshake Types
  *
- * Classification heuristics:
- * - Known secret patterns → redact (highest confidence)
- * - Known PII patterns → redact (high confidence)
- * - Known internal state patterns → redact (high confidence)
- * - Known ID patterns → hash (medium confidence)
- * - Known history patterns → summarize (medium confidence)
- * - Known task/query patterns → allow (medium confidence)
- * - Everything else → redact (conservative default)
+ * The sovereignty handshake is a mutual verification protocol between
+ * two Sanctuary instances. Each party presents its SHR and proves
+ * liveness via nonce challenge-response.
  *
- * WARNING: Fields like 'tool_results' and 'tool_output' are classified as
- * "allow" (medium confidence) but may contain sensitive data from external
- * API responses, including auth tokens, user data, or PII. Always review
- * recommendations before applying — the heuristic classifies by field NAME,
- * not field CONTENT.
+ * Protocol:
+ *   A → B: HandshakeChallenge (A's SHR + nonce)
+ *   B → A: HandshakeResponse (B's SHR + B's nonce + signature over A's nonce)
+ *   A → B: HandshakeCompletion (signature over B's nonce)
+ *   Result: Both hold a HandshakeResult with verified counterparty status
  */
-/** Classification result for a single field */
-interface FieldClassification {
-    field: string;
-    recommended_action: "allow" | "redact" | "hash" | "summarize";
-    reason: string;
-    confidence: "high" | "medium" | "low";
-    /** Pattern that matched, if any */
-    matched_pattern: string | null;
+
+/** Trust tier derived from sovereignty handshake */
+type TrustTier = "verified-sovereign" | "verified-degraded" | "unverified";
+/** Sovereignty level from SHR assessment */
+type SovereigntyLevel = "full" | "degraded" | "minimal" | "unverified";
+/**
+ * Step 1: Initiator sends challenge
+ */
+interface HandshakeChallenge {
+    protocol_version: "1.0";
+    shr: SignedSHR;
+    nonce: string;
+    initiated_at: string;
 }
-/** Full recommendation result */
-interface PolicyRecommendation {
-    provider: string;
-    classifications: FieldClassification[];
-    recommended_rules: {
-        allow: string[];
-        redact: string[];
-        hash: string[];
-        summarize: string[];
-    };
-    default_action: "redact";
-    summary: {
-        total_fields: number;
-        allow: number;
-        redact: number;
-        hash: number;
-        summarize: number;
-    };
-    warnings: string[];
+/**
+ * Step 2: Responder sends response
+ */
+interface HandshakeResponse {
+    protocol_version: "1.0";
+    shr: SignedSHR;
+    responder_nonce: string;
+    initiator_nonce_signature: string;
+    responded_at: string;
 }
 /**
- * Classify a single field name and return a recommendation.
+ * Step 3: Initiator sends completion
  */
-declare function classifyField(fieldName: string): FieldClassification;
+interface HandshakeCompletion {
+    protocol_version: "1.0";
+    responder_nonce_signature: string;
+    completed_at: string;
+}
 /**
- * Analyze a full context object and recommend a policy.
+ * Final result: both parties hold this after a successful handshake
  */
-declare function recommendPolicy(context: Record<string, unknown>, provider?: string): PolicyRecommendation;
+interface HandshakeResult {
+    counterparty_id: string;
+    counterparty_shr: SignedSHR;
+    verified: boolean;
+    sovereignty_level: SovereigntyLevel;
+    trust_tier: TrustTier;
+    completed_at: string;
+    expires_at: string;
+    errors: string[];
+}
+/**
+ * In-progress handshake state (stored on initiator side)
+ */
+interface HandshakeSession {
+    session_id: string;
+    role: "initiator" | "responder";
+    state: "initiated" | "responded" | "completed" | "failed";
+    our_nonce: string;
+    their_nonce?: string;
+    our_shr: SignedSHR;
+    their_shr?: SignedSHR;
+    initiated_at: string;
+    result?: HandshakeResult;
+}
 
 /**
- * Sanctuary MCP Server — L2 Model Provenance
- *
- * Declares and attests to the model(s) powering this agent.
+ * Sanctuary MCP Server — Sovereignty-Gated Reputation Tiers
  *
- * Vitalik Buterin's "Secure LLM" post (April 2026) identified a critical gap:
- * open-weights-but-not-open-source models can have trained-in backdoors. Model
- * provenance declaration lets agents and their operators verify the integrity
- * of the inference backbone.
+ * Attestations carry a sovereignty_tier field reflecting the signer's
+ * sovereignty posture at the time of recording. When querying or evaluating
+ * reputation, attestations from verified-sovereign agents carry more weight
+ * than those from unverified agents.
  *
- * Tracks: model name, version, weights hash, license, open-source status,
- * training data hash (if available). Included in SHR L2 section.
+ * Tier hierarchy (descending credibility):
+ *   1. "verified-sovereign"  — signer completed a handshake with full sovereignty
+ *   2. "verified-degraded"   — signer completed a handshake with degraded sovereignty
+ *   3. "self-attested"       — signer has a Sanctuary identity but no handshake verification
+ *   4. "unverified"          — no Sanctuary identity or sovereignty proof
  *
- * This sits in L2 (Operational Isolation) because it's part of the runtime
- * attestation surface — the agent declares what model(s) it's actually running.
- */
-/**
- * Metadata about a single model powering this agent.
+ * Weight multipliers are applied during reputation scoring. They are NOT
+ * gatekeeping — unverified attestations still count, just less.
  */
-interface ModelProvenance {
-    /** Machine-readable model ID (e.g., "qwen3.5-35b", "claude-opus-4", "llama-3.3-70b-instruct") */
-    model_id: string;
-    /** Human-readable model name (e.g., "Qwen 3.5", "Claude Opus 4", "Llama 3.3 70B Instruct") */
-    model_name: string;
-    /** Semantic version (e.g., "3.5", "4.0", "3.3") */
-    model_version: string;
-    /** Provider/vendor (e.g., "Alibaba Cloud", "Anthropic", "Meta", "local") */
-    provider: string;
-    /** SHA-256 of model weights file, if available and verifiable */
-    weights_hash?: string;
-    /** SHA-256 of training data manifest or metadata, if available */
-    training_data_hash?: string;
-    /** License identifier (e.g., "Apache-2.0", "CC-BY-4.0", "proprietary", "unknown") */
-    license: string;
-    /** True if model weights are publicly available (even if training is proprietary) */
-    open_weights: boolean;
-    /** True if full training code, data, and methodology are publicly available */
-    open_source: boolean;
-    /** True if inference runs on the local agent's hardware (not delegated to cloud API) */
-    local_inference: boolean;
-    /** ISO 8601 timestamp when this provenance was declared */
-    declared_at: string;
+
+type SovereigntyTier = "verified-sovereign" | "verified-degraded" | "self-attested" | "unverified";
+/** Weight multipliers for each tier */
+declare const TIER_WEIGHTS: Record<SovereigntyTier, number>;
+/** Tier metadata embedded in attestations */
+interface TierMetadata {
+    sovereignty_tier: SovereigntyTier;
+    /** If verified, the handshake that established it */
+    handshake_completed_at?: string;
+    /** Counterparty ID from handshake (if applicable) */
+    verified_by?: string;
 }
 /**
- * In-memory and persistent store for model provenance declarations.
- * Declarations are encrypted under L1 sovereignty.
+ * Resolve the sovereignty tier for a counterparty based on handshake history.
+ *
+ * @param counterpartyId - The counterparty's instance ID
+ * @param handshakeResults - Map of counterparty ID → most recent handshake result
+ * @param hasSanctuaryIdentity - Whether the counterparty has a known Sanctuary identity
+ * @returns TierMetadata for embedding in attestations
  */
-interface ModelProvenanceStore {
-    /**
-     * Declare a model's provenance and add it to the store.
-     */
-    declare(provenance: ModelProvenance): void;
-    /**
-     * Retrieve a model's provenance by ID.
-     */
-    get(model_id: string): ModelProvenance | undefined;
-    /**
-     * List all declared models.
-     */
-    list(): ModelProvenance[];
-    /**
-     * Get the primary/main model (the one the agent uses by default for inference).
-     */
-    primary(): ModelProvenance | undefined;
-    /**
-     * Set which model is the primary.
-     */
-    setPrimary(model_id: string): void;
+declare function resolveTier(counterpartyId: string, handshakeResults: Map<string, HandshakeResult>, hasSanctuaryIdentity: boolean): TierMetadata;
+/** An attestation with its tier for weighted scoring */
+interface TieredAttestation {
+    /** The raw metric value */
+    value: number;
+    /** The sovereignty tier of the attestation signer */
+    tier: SovereigntyTier;
 }
 /**
- * In-memory implementation of ModelProvenanceStore.
- * Suitable for most use cases. For encrypted persistence, integrate with L1 state store.
- */
-declare class InMemoryModelProvenanceStore implements ModelProvenanceStore {
-    private models;
-    private primaryModelId;
-    declare(provenance: ModelProvenance): void;
-    get(model_id: string): ModelProvenance | undefined;
-    list(): ModelProvenance[];
-    primary(): ModelProvenance | undefined;
-    setPrimary(model_id: string): void;
-}
+ * Compute a weighted reputation score from tiered attestations.
+ *
+ * Each attestation's contribution is multiplied by its tier weight.
+ * The result is normalized by total weight (not count), so adding
+ * low-tier attestations doesn't dilute high-tier ones.
+ *
+ * @param attestations - Array of value + tier pairs
+ * @returns Weighted score, or null if no attestations
+ */
+declare function computeWeightedScore(attestations: TieredAttestation[]): number | null;
 /**
- * Common model provenance presets for quick initialization.
+ * Compute a tier distribution summary for a set of attestations.
  */
-declare const MODEL_PRESETS: {
-    /**
-     * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
-     */
-    claudeOpus4: () => ModelProvenance;
-    /**
-     * Qwen 3.5 via local inference (open weights, proprietary training)
-     */
-    qwen35Local: () => ModelProvenance;
-    /**
-     * Llama 3.3 70B via local inference (open weights and code)
-     */
-    llama33Local: () => ModelProvenance;
-    /**
-     * Mistral 7B (open weights, open code, local inference)
-     */
-    mistral7bLocal: () => ModelProvenance;
-};
+declare function tierDistribution(tiers: SovereigntyTier[]): Record<SovereigntyTier, number>;
 
 /**
- * Sanctuary MCP Server — Prompt Injection Detection Layer
+ * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store
  *
- * Fast, zero-dependency detection of common prompt injection patterns.
- * Scans tool arguments for role override, security bypass, encoding evasion,
- * data exfiltration, and prompt stuffing signals.
+ * Records interaction outcomes as signed attestations, queries aggregated
+ * reputation data, and supports export/import for cross-platform portability.
  *
- * SEC-034/SEC-035: Enhanced with Unicode sanitization pre-pass, decoded content
- * re-scanning, token budget analysis, and outbound content scanning.
+ * Attestation format is EAS-compatible (Ethereum Attestation Service) to
+ * enable future on-chain anchoring without requiring blockchain for MVS.
  *
  * Security invariants:
- * - Always returns a result, never throws
- * - Typical scan completes in < 5ms
- * - False positives minimized via field-aware scanning
- * - Recursive scanning of nested objects/arrays
- * - Outbound scanning catches secret leaks and injection artifact survival
+ * - All attestations are signed by the recording identity
+ * - Attestations are stored encrypted under L1 sovereignty
+ * - Reputation queries return aggregates, never raw interaction data
+ * - Export bundles include all signatures for independent verification
+ * - Import verifies every signature before accepting attestations
  */
-interface InjectionDetectorConfig {
-    enabled: boolean;
-    sensitivity: "low" | "medium" | "high";
-    on_detection: "escalate" | "block" | "log";
-    custom_patterns?: string[];
+
+/** Interaction outcome for recording */
+interface InteractionOutcome {
+    type: "transaction" | "negotiation" | "service" | "dispute" | "custom";
+    result: "completed" | "partial" | "failed" | "disputed";
+    metrics?: Record<string, number>;
 }
-interface InjectionSignal {
-    type: string;
-    pattern: string;
-    location: string;
-    severity: "low" | "medium" | "high";
+/** A signed attestation of an interaction */
+interface Attestation {
+    attestation_id: string;
+    schema: "sanctuary-interaction-v1";
+    data: {
+        interaction_id: string;
+        participant_did: string;
+        counterparty_did: string;
+        outcome_type: string;
+        outcome_result: string;
+        metrics: Record<string, number>;
+        context: string;
+        timestamp: string;
+        /** Sovereignty tier of the signer at time of recording */
+        sovereignty_tier?: SovereigntyTier;
+    };
+    signature: string;
+    signer: string;
 }
-interface DetectionResult {
-    flagged: boolean;
-    confidence: number;
-    signals: InjectionSignal[];
-    recommendation: "allow" | "escalate" | "block";
+/** Stored attestation (encrypted at rest) */
+interface StoredAttestation {
+    attestation: Attestation;
+    counterparty_attestation?: string;
+    counterparty_confirmed: boolean;
+    recorded_at: string;
 }
-declare class InjectionDetector {
-    private config;
-    private stats;
-    constructor(config?: Partial<InjectionDetectorConfig>);
-    /**
-     * Scan tool arguments for injection signals.
-     * @param toolName Full tool name (e.g., "state_read")
-     * @param args Tool arguments
-     * @returns DetectionResult with all detected signals
-     */
-    scan(toolName: string, args: Record<string, unknown>): DetectionResult;
-    /**
-     * SEC-035: Scan outbound content for secret leaks, data exfiltration,
-     * internal path exposure, and injection artifact survival.
-     *
-     * @param content The outbound content string to scan
-     * @returns DetectionResult with outbound-specific signal types
-     */
-    scanOutbound(content: string): DetectionResult;
-    /**
-     * Recursively scan a value and all nested values.
-     */
-    private scanValue;
+/** Aggregated metric statistics */
+interface MetricAggregate {
+    mean: number;
+    median: number;
+    min: number;
+    max: number;
+    count: number;
+}
+/** Reputation query result */
+interface ReputationSummary {
+    total_interactions: number;
+    completed: number;
+    partial: number;
+    failed: number;
+    disputed: number;
+    contexts: string[];
+    time_range: {
+        start: string;
+        end: string;
+    };
+    aggregate_metrics: Record<string, MetricAggregate>;
+}
+/** Portable reputation bundle */
+interface ReputationBundle {
+    version: "SANCTUARY_REP_V1";
+    attestations: Attestation[];
+    exported_at: string;
+    exporter_did: string;
+    bundle_signature: string;
+}
+/** Escrow for trust bootstrapping */
+interface Escrow {
+    escrow_id: string;
+    transaction_terms: string;
+    terms_hash: string;
+    collateral_amount?: number;
+    counterparty_did: string;
+    creator_did: string;
+    created_at: string;
+    expires_at: string;
+    status: "pending" | "active" | "released" | "disputed" | "expired";
+}
+/** Principal guarantee for a new agent */
+interface Guarantee {
+    guarantee_id: string;
+    principal_did: string;
+    agent_did: string;
+    scope: string;
+    max_liability?: number;
+    valid_until: string;
+    certificate: string;
+    created_at: string;
+}
+declare class ReputationStore {
+    private storage;
+    private encryptionKey;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Scan a single string for injection signals.
+     * Record an interaction outcome as a signed attestation.
      */
-    private scanString;
+    record(interactionId: string, counterpartyDid: string, outcome: InteractionOutcome, context: string, identity: StoredIdentity, identityEncryptionKey: Uint8Array, counterpartyAttestation?: string, sovereigntyTier?: SovereigntyTier): Promise<StoredAttestation>;
     /**
-     * Count invisible Unicode characters in a string.
-     * Includes zero-width chars, soft hyphens, directional marks,
-     * variation selectors, and other invisible categories.
+     * Query reputation data with filtering.
+     * Returns aggregates only — not raw interaction data.
      */
-    private countInvisibleChars;
+    query(options: {
+        context?: string;
+        time_range?: {
+            start: string;
+            end: string;
+        };
+        metrics?: string[];
+        counterparty_did?: string;
+    }): Promise<ReputationSummary>;
     /**
-     * Strip invisible characters from a string for clean pattern matching.
-     * Returns a new string with all invisible chars removed.
+     * Export attestations as a portable reputation bundle.
      */
-    private stripInvisibleChars;
+    exportBundle(identity: StoredIdentity, identityEncryptionKey: Uint8Array, context?: string): Promise<ReputationBundle>;
     /**
-     * SEC-034: Token budget attack detection.
-     * Some Unicode sequences expand dramatically during tokenization (e.g., CJK
-     * ideographs, combining characters, emoji sequences). If the estimated token
-     * cost per character is anomalously high, this may be a wallet-drain payload.
+     * Import attestations from a reputation bundle.
+     * Verifies signatures if requested (default: true).
      *
-     * Heuristic: count chars that typically tokenize into multiple tokens.
-     * If the ratio of estimated tokens to char count exceeds 3x, flag it.
-     */
-    private detectTokenBudgetAttack;
-    /**
-     * Detect encoded content (base64, hex, HTML entities, URL encoding),
-     * decode it, and re-scan the decoded content through injection patterns.
-     * If the decoded content contains injection patterns, flag as encoding_evasion.
-     */
-    private detectEncodedPayloads;
-    /**
-     * Check if a string contains any injection patterns (role override or security bypass).
-     */
-    private containsInjectionPatterns;
-    /**
-     * Safely decode a base64 string. Returns null if it's not valid base64
-     * or doesn't decode to a meaningful string.
-     */
-    private safeBase64Decode;
-    /**
-     * Safely decode a hex string. Returns null on failure.
-     */
-    private safeHexDecode;
-    /**
-     * Decode HTML numeric entities (&#xHH; and &#DDD;) in a string.
-     */
-    private decodeHtmlEntities;
-    /**
-     * Safely decode a URL-encoded string. Returns null on failure.
-     */
-    private safeUrlDecode;
-    /**
-     * Heuristic: does this look like readable text (vs. binary garbage)?
-     * Checks that most characters are printable ASCII or common Unicode.
-     */
-    private looksLikeText;
-    /**
-     * Detect API keys and secrets in outbound content.
-     */
-    private detectSecretPatterns;
-    /**
-     * Detect data exfiltration via markdown images with data-carrying query params.
-     */
-    private detectOutboundExfiltration;
-    /**
-     * Detect internal filesystem path leaks in outbound content.
-     */
-    private detectInternalPathLeaks;
-    /**
-     * Detect private IP addresses and localhost references in outbound content.
+     * @param publicKeys - Map of DID → public key bytes for signature verification
      */
-    private detectPrivateNetworkLeaks;
+    importBundle(bundle: ReputationBundle, verifySignatures: boolean, publicKeys: Map<string, Uint8Array>): Promise<{
+        imported: number;
+        invalid: number;
+        contexts: string[];
+    }>;
     /**
-     * Detect role markers / prompt template artifacts in outbound content.
-     * These should never appear in agent output — their presence indicates
-     * injection artifact survival.
+     * Create an escrow for trust bootstrapping.
      */
-    private detectOutputRoleMarkers;
+    createEscrow(transactionTerms: string, counterpartyDid: string, timeoutSeconds: number, creatorDid: string, collateralAmount?: number): Promise<Escrow>;
     /**
-     * Detect base64 strings, base64url, and zero-width character evasion.
+     * Get an escrow by ID.
      */
-    private detectEncodingEvasion;
+    getEscrow(escrowId: string): Promise<Escrow | null>;
     /**
-     * Detect URLs and emails in fields that shouldn't have them.
+     * Create a principal's guarantee for a new agent.
      */
-    private detectDataExfiltration;
+    createGuarantee(principalIdentity: StoredIdentity, agentDid: string, scope: string, durationSeconds: number, identityEncryptionKey: Uint8Array, maxLiability?: number): Promise<Guarantee>;
     /**
-     * Detect prompt stuffing: very large strings or high repetition.
+     * Load attestations for tier-weighted scoring.
+     * Applies basic context/counterparty filtering, returns full StoredAttestations
+     * so callers can access sovereignty_tier from attestation data.
      */
-    private detectPromptStuffing;
+    loadAllForTierScoring(options?: {
+        context?: string;
+        counterparty_did?: string;
+    }): Promise<StoredAttestation[]>;
+    private loadAll;
+}
+
+/**
+ * Sanctuary MCP Server — Federation Types
+ *
+ * MCP-to-MCP federation enables two Sanctuary instances to:
+ *   1. Discover each other's capabilities (SIM exchange)
+ *   2. Establish mutual trust (sovereignty handshake)
+ *   3. Exchange signed reputation attestations
+ *   4. Evaluate trust for cross-instance interactions
+ *
+ * Federation operates as a protocol layer atop the handshake:
+ *   Handshake establishes trust → Federation uses that trust for ongoing operations.
+ *
+ * Key constraint: Federation MUST respect each party's sovereignty.
+ * Neither party can compel the other to share data they haven't disclosed
+ * via their disclosure policy.
+ */
+
+/** A known federation peer */
+interface FederationPeer {
+    /** The peer's instance ID (from their SHR) */
+    peer_id: string;
+    /** The peer's DID (identity) */
+    peer_did: string;
+    /** When this peer was first seen */
+    first_seen: string;
+    /** When last handshake completed */
+    last_handshake: string;
+    /** Current trust tier from most recent handshake */
+    trust_tier: SovereigntyTier;
+    /** Handshake result (for tier resolution) */
+    handshake_result: HandshakeResult;
+    /** Peer's advertised capabilities (from their SIM) */
+    capabilities: FederationCapabilities;
+    /** Whether we have a valid (non-expired) handshake */
+    active: boolean;
+}
+/** Capabilities a peer advertises for federation */
+interface FederationCapabilities {
+    /** Whether the peer supports reputation exchange */
+    reputation_exchange: boolean;
+    /** Whether the peer supports mutual attestation */
+    mutual_attestation: boolean;
+    /** Whether the peer supports encrypted channels */
+    encrypted_channel: boolean;
+    /** Supported attestation formats */
+    attestation_formats: string[];
+}
+/** Trust evaluation result for a federation peer */
+interface PeerTrustEvaluation {
+    peer_id: string;
+    /** Current sovereignty tier (from handshake) */
+    sovereignty_tier: SovereigntyTier;
+    /** Whether handshake is current (not expired) */
+    handshake_current: boolean;
+    /** Reputation summary (if available) */
+    reputation_score?: number;
+    /** How many mutual attestations we share */
+    mutual_attestation_count: number;
+    /** Overall trust assessment */
+    trust_level: "high" | "medium" | "low" | "none";
+    /** Reasoning for the assessment */
+    factors: string[];
+    /** Evaluated at */
+    evaluated_at: string;
+}
+
+/**
+ * Sanctuary MCP Server — Federation Peer Registry
+ *
+ * Manages known federation peers. Peers are discovered through handshakes
+ * and tracked for ongoing federation operations.
+ *
+ * The registry is the source of truth for:
+ * - Who we've federated with
+ * - Current trust status of each peer
+ * - Peer capabilities (what operations they support)
+ *
+ * Security invariants:
+ * - Peers are ONLY added through completed handshakes (not self-registration)
+ * - Trust tiers degrade automatically when handshakes expire
+ * - Peer data is stored encrypted under L1 sovereignty
+ */
+
+declare class FederationRegistry {
+    private peers;
     /**
-     * Determine if this field is inherently safe from role override.
+     * Register or update a peer from a completed handshake.
+     * This is the ONLY way peers enter the registry.
      */
-    private isSafeField;
+    registerFromHandshake(result: HandshakeResult, peerDid: string, capabilities?: Partial<FederationCapabilities>): FederationPeer;
     /**
-     * Determine if this is a tool name field (where tool refs are expected).
+     * Get a peer by instance ID.
+     * Automatically updates active status based on handshake expiry.
      */
-    private isToolNameField;
+    getPeer(peerId: string): FederationPeer | null;
     /**
-     * Determine if this field is safe for URLs.
+     * List all known peers, optionally filtered by status.
      */
-    private isUrlSafeField;
+    listPeers(filter?: {
+        active_only?: boolean;
+    }): FederationPeer[];
     /**
-     * Determine if this field is safe for emails.
+     * Evaluate trust for a federation peer.
+     *
+     * Trust assessment considers:
+     * - Handshake status (current vs expired)
+     * - Sovereignty tier (verified-sovereign vs degraded vs unverified)
+     * - Reputation data (if available)
+     * - Mutual attestation history
      */
-    private isEmailSafeField;
+    evaluateTrust(peerId: string, mutualAttestationCount?: number, reputationScore?: number): PeerTrustEvaluation;
     /**
-     * Determine if this field is safe for structured data (JSON/XML).
+     * Remove a peer from the registry.
      */
-    private isStructuredField;
+    removePeer(peerId: string): boolean;
     /**
-     * SEC-032/SEC-034: Map common cross-script confusable characters to their
-     * Latin equivalents. NFKC normalization handles fullwidth and compatibility
-     * forms, but does NOT map Cyrillic/Greek/Armenian/Georgian lookalikes to
-     * Latin (they're distinct codepoints by design).
-     *
-     * Extended to 50+ confusable pairs covering Cyrillic, Greek, Armenian,
-     * Georgian, Cherokee, and mathematical/symbol lookalikes.
+     * Get the handshake results map (for tier resolution integration).
      */
-    private normalizeConfusables;
+    getHandshakeResults(): Map<string, HandshakeResult>;
+}
+
+/**
+ * Sanctuary MCP Server — L2 Operational Isolation: Context Gating
+ *
+ * Context gating controls what information leaves the sovereignty boundary
+ * when an agent makes outbound calls — especially inference calls to remote
+ * LLM providers. This is the "minimum-necessary context" enforcement layer.
+ *
+ * The problem: When an agent sends a request to a remote LLM provider (Claude,
+ * GPT, etc.), most harnesses send the agent's full context — conversation
+ * history, memory, tool results, preferences, internal reasoning. The agent
+ * has no control over what the provider sees.
+ *
+ * Context gating lets the agent define:
+ * - Provider categories (inference, tool-api, logging, analytics, etc.)
+ * - What fields/categories of context may flow to each provider type
+ * - What must always be redacted (secrets, internal reasoning, PII, etc.)
+ * - What requires transformation (hashing, summarizing, anonymizing)
+ *
+ * This sits in L2 (Operational Isolation) because it controls information
+ * flow at the execution boundary. L3 (Selective Disclosure) handles agent-
+ * to-agent trust negotiation with cryptographic proofs; context gating
+ * handles agent-to-infrastructure information flow.
+ *
+ * Security invariants:
+ * - Redact rules take absolute priority (like withhold in L3)
+ * - Policies are stored encrypted under L1 sovereignty
+ * - Every filter operation is audit-logged with a content hash
+ *   (what was sent, what was redacted — without storing the content itself)
+ * - Default policy: redact everything not explicitly allowed
+ */
+
+/** Provider categories that context may flow to */
+type ProviderCategory = "inference" | "tool-api" | "logging" | "analytics" | "peer-agent" | "custom";
+/** Actions that can be taken on a context field */
+type ContextAction = "allow" | "redact" | "hash" | "summarize" | "deny";
+/** A rule within a context-gating policy */
+interface ContextGateRule {
+    /** Provider category this rule applies to */
+    provider: ProviderCategory | "*";
+    /** Fields/patterns that may pass through */
+    allow: string[];
+    /** Fields/patterns that must be redacted (highest priority) */
+    redact: string[];
+    /** Fields/patterns that should be hashed */
+    hash: string[];
+    /** Fields/patterns that should be summarized (advisory) */
+    summarize: string[];
+}
+/** A complete context-gating policy */
+interface ContextGatePolicy {
+    policy_id: string;
+    policy_name: string;
+    rules: ContextGateRule[];
+    /** Default action when no rule matches a field */
+    default_action: "redact" | "deny";
+    /** Identity this policy is bound to (optional) */
+    identity_id?: string;
+    created_at: string;
+    updated_at: string;
+}
+/** Result of filtering a single field */
+interface FieldFilterResult {
+    field: string;
+    action: ContextAction;
+    reason: string;
+    /** If action is "hash", contains the hash */
+    hash_value?: string;
+}
+/** Result of a full context filter operation */
+interface ContextFilterResult {
+    policy_id: string;
+    provider: ProviderCategory | string;
+    fields_allowed: number;
+    fields_redacted: number;
+    fields_hashed: number;
+    fields_summarized: number;
+    fields_denied: number;
+    decisions: FieldFilterResult[];
+    /** SHA-256 hash of the original context (for audit trail) */
+    original_context_hash: string;
+    /** SHA-256 hash of the filtered output (for audit trail) */
+    filtered_context_hash: string;
+    filtered_at: string;
+}
+/**
+ * Evaluate a context field against a policy for a given provider.
+ *
+ * Priority order (same as L3 disclosure):
+ * 1. Redact (blocks — highest priority)
+ * 2. Deny (blocks entire request)
+ * 3. Hash (transforms)
+ * 4. Summarize (advisory transform)
+ * 5. Allow (passes through)
+ * 6. Default action
+ */
+declare function evaluateField(policy: ContextGatePolicy, provider: ProviderCategory | string, field: string): FieldFilterResult;
+/**
+ * Filter a full context object against a policy for a given provider.
+ * Returns per-field decisions and content hashes for the audit trail.
+ */
+declare function filterContext(policy: ContextGatePolicy, provider: ProviderCategory | string, context: Record<string, unknown>): ContextFilterResult;
+/**
+ * Context gate policy store — encrypted under L1 sovereignty.
+ */
+declare class ContextGatePolicyStore {
+    private storage;
+    private encryptionKey;
+    private policies;
+    constructor(storage: StorageBackend, masterKey: Uint8Array);
     /**
-     * Compute confidence score based on signals.
-     * More high-severity signals = higher confidence.
+     * Create and store a new context-gating policy.
      */
-    private computeConfidence;
+    create(policyName: string, rules: ContextGateRule[], defaultAction: "redact" | "deny", identityId?: string): Promise<ContextGatePolicy>;
     /**
-     * Compute recommendation based on signals and sensitivity.
+     * Get a policy by ID.
      */
-    private computeRecommendation;
+    get(policyId: string): Promise<ContextGatePolicy | null>;
     /**
-     * Get statistics about scans performed.
+     * List all context-gating policies.
      */
-    getStats(): {
-        total_scans: number;
-        total_flags: number;
-        total_blocks: number;
-        signals_by_type: Record<string, number>;
-    };
+    list(): Promise<ContextGatePolicy[]>;
     /**
-     * Reset statistics.
+     * Load all persisted policies into memory.
      */
-    resetStats(): void;
+    private loadAll;
+    private persist;
 }
 
 /**
- * Sanctuary MCP Server — Principal Policy Types
+ * Sanctuary MCP Server — L2 Context Gating: Starter Policy Templates
  *
- * Type definitions for the Principal Policy system.
- * The Principal Policy is the human-controlled, agent-immutable
- * configuration that gates operations through approval tiers.
- */
-/** Tier 2 anomaly action: what to do when an anomaly is detected */
-type AnomalyAction = "approve" | "log" | "allow";
-/** Tier 2 anomaly detection configuration */
-interface Tier2Config {
-    /** Action when agent accesses a namespace it hasn't used before */
-    new_namespace_access: AnomalyAction;
-    /** Action when agent interacts with an unknown counterparty DID */
-    new_counterparty: AnomalyAction;
-    /** Tool call frequency multiplier that triggers anomaly */
-    frequency_spike_multiplier: number;
-    /** Maximum signing operations per minute before triggering */
-    max_signs_per_minute: number;
-    /** Reading more than N keys in a namespace within 60 seconds */
-    bulk_read_threshold: number;
-    /** Policy for first session when no baseline exists */
-    first_session_policy: AnomalyAction;
-}
-/** Approval channel configuration */
-interface ApprovalChannelConfig {
-    type: "stderr" | "webhook" | "callback";
-    timeout_seconds: number;
-    /**
-     * SEC-002: auto_deny is hardcoded to true and not configurable.
-     * Timeout on any approval channel ALWAYS results in denial.
-     * This field is retained for backward compatibility with existing
-     * policy files but is ignored — timeout always denies.
-     */
-    auto_deny?: boolean;
-    webhook_url?: string;
-    webhook_secret?: string;
-}
-/** Complete Principal Policy */
-interface PrincipalPolicy {
-    version: number;
-    /** Operations that always require human approval */
-    tier1_always_approve: string[];
-    /** Behavioral anomaly detection configuration */
-    tier2_anomaly: Tier2Config;
-    /** Operations that never require approval (audit only) */
-    tier3_always_allow: string[];
-    /** How approval requests reach the human */
-    approval_channel: ApprovalChannelConfig;
-}
-/** Approval request sent to the human */
-interface ApprovalRequest {
-    operation: string;
-    tier: 1 | 2;
-    reason: string;
-    context: Record<string, unknown>;
-    timestamp: string;
-}
-/** Approval response from the human */
-interface ApprovalResponse {
-    decision: "approve" | "deny";
-    decided_at: string;
-    decided_by: "human" | "timeout" | "auto" | "stderr:non-interactive";
-}
-/** Result of the approval gate evaluation */
-interface GateResult {
-    allowed: boolean;
-    tier: 1 | 2 | 3;
-    reason: string;
-    approval_required: boolean;
-    approval_response?: ApprovalResponse;
-}
-/** Behavioral baseline for anomaly detection */
-interface SessionProfile {
-    /** Namespaces accessed (read or write) */
-    known_namespaces: string[];
-    /** Counterparty DIDs seen in reputation operations */
-    known_counterparties: string[];
-    /** Tool call counts per tool name (lifetime in session) */
-    tool_call_counts: Record<string, number>;
-    /** Whether this is the first session (no prior baseline) */
-    is_first_session: boolean;
-    /** Session start time */
-    started_at: string;
-    /** When the baseline was last saved */
-    saved_at?: string;
-}
-
-/**
- * Sanctuary MCP Server — Approval Channel
+ * Pre-built policies for common use cases. These are starting points —
+ * users should customize them for their specific context structure.
  *
- * Out-of-band communication with the human principal for operation approval.
- * The default channel uses stderr (outside MCP's stdin/stdout protocol),
- * ensuring the agent cannot intercept or forge approval responses.
+ * Templates:
  *
- * Security invariant:
- * - Approval prompts go through a channel the agent cannot access.
- * - Timeouts result in denial by default (fail closed).
+ *   inference-minimal
+ *     Only the current task and query reach the LLM. Everything else
+ *     is redacted. Secrets, PII, memory, reasoning, and history are
+ *     all blocked. IDs are hashed. Maximum privacy, minimum context.
+ *
+ *   inference-standard
+ *     Task, query, and tool results pass through. Conversation history
+ *     is flagged for summarization (compress before sending). Secrets,
+ *     PII, and internal reasoning are redacted. IDs are hashed.
+ *     Balanced: the LLM has enough context to be useful without seeing
+ *     everything the agent knows.
+ *
+ *   logging-strict
+ *     Redacts everything for logging/analytics providers. Only
+ *     operation names and timestamps pass through. Use this for
+ *     telemetry services where you want usage metrics without
+ *     content exposure.
+ *
+ *   tool-api-scoped
+ *     Allows tool-specific parameters and the current task, redacts
+ *     memory, history, secrets, and PII. Hashes IDs. For outbound
+ *     calls to external APIs (search, database, etc.) where you need
+ *     to send query parameters but not your agent's full state.
  */
 
-/** Abstract approval channel interface */
-interface ApprovalChannel {
-    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
+/** A template definition ready to be applied via the policy store */
+interface ContextGateTemplate {
+    /** Machine-readable template ID */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** One-line description */
+    description: string;
+    /** When to use this template */
+    use_when: string;
+    /** The rules that make up this template */
+    rules: ContextGateRule[];
+    /** Default action for unmatched fields */
+    default_action: "redact" | "deny";
 }
+/** All available templates, keyed by ID */
+declare const TEMPLATES: Record<string, ContextGateTemplate>;
+/** List all available template IDs */
+declare function listTemplateIds(): string[];
+/** Get a template by ID (returns undefined if not found) */
+declare function getTemplate(id: string): ContextGateTemplate | undefined;
+
 /**
- * Stderr approval channel — non-interactive informational channel.
+ * Sanctuary MCP Server — L2 Context Gating: Policy Recommendation Engine
  *
- * In the MCP stdio model:
- * - stdin/stdout carry the MCP protocol (JSON-RPC)
- * - stderr is available for out-of-band human communication
+ * Analyzes a sample context object and recommends a context-gating policy
+ * based on field name heuristics. The agent (or human) can then review,
+ * adjust, and apply the recommendation.
  *
- * Because stdin is consumed by the MCP JSON-RPC transport, this channel
- * CANNOT read interactive human input. It is strictly informational:
- * the prompt is displayed so the human sees what is happening, and the
- * operation is denied immediately.
+ * This is deliberately conservative: when in doubt, it recommends redact.
+ * A false redaction is a usability issue; a false allow is a privacy leak.
  *
- * SEC-002 + SEC-016 invariants:
- * - This channel ALWAYS denies. No configuration can change this.
- * - There is no timeout or async delay — denial is synchronous.
- * - The `auto_deny` config field is ignored (SEC-002).
- * - For interactive approval, use the dashboard or webhook channel.
+ * Classification heuristics:
+ * - Known secret patterns → redact (highest confidence)
+ * - Known PII patterns → redact (high confidence)
+ * - Known internal state patterns → redact (high confidence)
+ * - Known ID patterns → hash (medium confidence)
+ * - Known history patterns → summarize (medium confidence)
+ * - Known task/query patterns → allow (medium confidence)
+ * - Everything else → redact (conservative default)
+ *
+ * WARNING: Fields like 'tool_results' and 'tool_output' are classified as
+ * "allow" (medium confidence) but may contain sensitive data from external
+ * API responses, including auth tokens, user data, or PII. Always review
+ * recommendations before applying — the heuristic classifies by field NAME,
+ * not field CONTENT.
  */
-declare class StderrApprovalChannel implements ApprovalChannel {
-    constructor(_config: ApprovalChannelConfig);
-    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
-    private formatPrompt;
+/** Classification result for a single field */
+interface FieldClassification {
+    field: string;
+    recommended_action: "allow" | "redact" | "hash" | "summarize";
+    reason: string;
+    confidence: "high" | "medium" | "low";
+    /** Pattern that matched, if any */
+    matched_pattern: string | null;
+}
+/** Full recommendation result */
+interface PolicyRecommendation {
+    provider: string;
+    classifications: FieldClassification[];
+    recommended_rules: {
+        allow: string[];
+        redact: string[];
+        hash: string[];
+        summarize: string[];
+    };
+    default_action: "redact";
+    summary: {
+        total_fields: number;
+        allow: number;
+        redact: number;
+        hash: number;
+        summarize: number;
+    };
+    warnings: string[];
 }
 /**
- * Programmatic approval channel — for testing and API integration.
+ * Classify a single field name and return a recommendation.
  */
-declare class CallbackApprovalChannel implements ApprovalChannel {
-    private callback;
-    constructor(callback: (request: ApprovalRequest) => Promise<ApprovalResponse>);
-    requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;
-}
+declare function classifyField(fieldName: string): FieldClassification;
 /**
- * Auto-approve channel — for testing. Approves everything.
+ * Analyze a full context object and recommend a policy.
  */
-declare class AutoApproveChannel implements ApprovalChannel {
-    requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse>;
-}
+declare function recommendPolicy(context: Record<string, unknown>, provider?: string): PolicyRecommendation;
 
 /**
- * Sanctuary MCP Server — Behavioral Baseline Tracker
+ * Sanctuary MCP Server — L2 Model Provenance
  *
- * Tracks the agent's behavioral profile during a session and persists
- * it for cross-session anomaly detection. The baseline defines "normal"
- * so that deviations can trigger Tier 2 approval.
+ * Declares and attests to the model(s) powering this agent.
  *
- * Security invariants:
- * - Baseline is stored encrypted under L1 sovereignty
- * - Baseline changes are audit-logged
- * - Baseline is integrity-verified via L1 Merkle tree
- * - No MCP tool can directly modify the baseline
+ * Vitalik Buterin's "Secure LLM" post (April 2026) identified a critical gap:
+ * open-weights-but-not-open-source models can have trained-in backdoors. Model
+ * provenance declaration lets agents and their operators verify the integrity
+ * of the inference backbone.
+ *
+ * Tracks: model name, version, weights hash, license, open-source status,
+ * training data hash (if available). Included in SHR L2 section.
+ *
+ * This sits in L2 (Operational Isolation) because it's part of the runtime
+ * attestation surface — the agent declares what model(s) it's actually running.
  */
-
-declare class BaselineTracker {
-    private storage;
-    private encryptionKey;
-    private profile;
-    /** Sliding window: timestamps of tool calls per tool name (last 60s) */
-    private callWindows;
-    /** Sliding window: read counts per namespace (last 60s) */
-    private readWindows;
-    /** Sliding window: sign call timestamps (last 60s) */
-    private signWindow;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    /**
-     * Load the previous session's baseline from storage.
-     * If none exists, this is a first session.
-     */
-    load(): Promise<void>;
-    /**
-     * Save the current baseline to storage (encrypted).
-     * Called at session end or periodically.
-     */
-    save(): Promise<void>;
-    /**
-     * Record a tool call for baseline tracking.
-     * Returns anomaly information if applicable.
-     */
-    recordToolCall(toolName: string): void;
-    /**
-     * Record a namespace access.
-     * @returns true if this is a new namespace (not in baseline)
-     */
-    recordNamespaceAccess(namespace: string): boolean;
+/**
+ * Metadata about a single model powering this agent.
+ */
+interface ModelProvenance {
+    /** Machine-readable model ID (e.g., "qwen3.5-35b", "claude-opus-4", "llama-3.3-70b-instruct") */
+    model_id: string;
+    /** Human-readable model name (e.g., "Qwen 3.5", "Claude Opus 4", "Llama 3.3 70B Instruct") */
+    model_name: string;
+    /** Semantic version (e.g., "3.5", "4.0", "3.3") */
+    model_version: string;
+    /** Provider/vendor (e.g., "Alibaba Cloud", "Anthropic", "Meta", "local") */
+    provider: string;
+    /** SHA-256 of model weights file, if available and verifiable */
+    weights_hash?: string;
+    /** SHA-256 of training data manifest or metadata, if available */
+    training_data_hash?: string;
+    /** License identifier (e.g., "Apache-2.0", "CC-BY-4.0", "proprietary", "unknown") */
+    license: string;
+    /** True if model weights are publicly available (even if training is proprietary) */
+    open_weights: boolean;
+    /** True if full training code, data, and methodology are publicly available */
+    open_source: boolean;
+    /** True if inference runs on the local agent's hardware (not delegated to cloud API) */
+    local_inference: boolean;
+    /** ISO 8601 timestamp when this provenance was declared */
+    declared_at: string;
+}
+/**
+ * In-memory and persistent store for model provenance declarations.
+ * Declarations are encrypted under L1 sovereignty.
+ */
+interface ModelProvenanceStore {
     /**
-     * Record a namespace read for bulk-read detection.
-     * @returns the number of reads in the current 60-second window
+     * Declare a model's provenance and add it to the store.
      */
-    recordNamespaceRead(namespace: string): number;
+    declare(provenance: ModelProvenance): void;
     /**
-     * Record a counterparty DID interaction.
-     * @returns true if this is a new counterparty (not in baseline)
+     * Retrieve a model's provenance by ID.
      */
-    recordCounterparty(did: string): boolean;
+    get(model_id: string): ModelProvenance | undefined;
     /**
-     * Record a signing operation.
-     * @returns the number of signs in the current 60-second window
+     * List all declared models.
      */
-    recordSign(): number;
+    list(): ModelProvenance[];
     /**
-     * Get the current call rate for a tool (calls per minute).
+     * Get the primary/main model (the one the agent uses by default for inference).
      */
-    getCallRate(toolName: string): number;
+    primary(): ModelProvenance | undefined;
     /**
-     * Get the average call rate across all tools in the baseline.
+     * Set which model is the primary.
      */
-    getAverageCallRate(): number;
-    /** Whether this is the first session */
-    get isFirstSession(): boolean;
-    /** Get a read-only view of the current profile */
-    getProfile(): SessionProfile;
+    setPrimary(model_id: string): void;
 }
-
 /**
- * Sanctuary MCP Server — Approval Gate
- *
- * The three-tier approval gate sits between the MCP router and tool handlers.
- * Every tool call passes through the gate before execution.
- *
- * Evaluation order:
- * 1. Tier 1: Is this operation in the always-approve list? → Request approval.
- * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.
- * 3. Tier 3 / default: Allow with audit logging.
- *
- * Security invariants:
- * - The gate cannot be bypassed — it wraps every tool handler.
- * - Denial responses do not reveal policy details to the agent.
- * - All gate decisions (approve, deny, allow) are audit-logged.
+ * In-memory implementation of ModelProvenanceStore.
+ * Suitable for most use cases. For encrypted persistence, integrate with L1 state store.
  */
-
-/** Callback invoked when an injection is detected, for dashboard broadcasting */
-type InjectionAlertCallback = (alert: {
-    toolName: string;
-    result: DetectionResult;
-    timestamp: string;
-}) => void;
-/** Resolver for proxy tool tiers — provided by the ProxyRouter */
-type ProxyTierResolver = (toolName: string) => (1 | 2 | 3) | null;
-declare class ApprovalGate {
-    private policy;
-    private baseline;
-    private channel;
-    private auditLog;
-    private injectionDetector;
-    private onInjectionAlert?;
-    private proxyTierResolver?;
-    constructor(policy: PrincipalPolicy, baseline: BaselineTracker, channel: ApprovalChannel, auditLog: AuditLog, injectionDetector?: InjectionDetector, onInjectionAlert?: InjectionAlertCallback);
-    /**
-     * Set the proxy tier resolver. Called after the proxy router is initialized.
-     */
-    setProxyTierResolver(resolver: ProxyTierResolver): void;
+declare class InMemoryModelProvenanceStore implements ModelProvenanceStore {
+    private models;
+    private primaryModelId;
+    declare(provenance: ModelProvenance): void;
+    get(model_id: string): ModelProvenance | undefined;
+    list(): ModelProvenance[];
+    primary(): ModelProvenance | undefined;
+    setPrimary(model_id: string): void;
+}
+/**
+ * Common model provenance presets for quick initialization.
+ */
+declare const MODEL_PRESETS: {
     /**
-     * Evaluate a tool call against the Principal Policy.
-     *
-     * @param toolName - Full MCP tool name (e.g., "state_export")
-     * @param args - Tool call arguments (for context extraction)
-     * @returns GateResult indicating whether the call is allowed
+     * Claude Opus 4 via Anthropic API (cloud inference, closed weights/source)
      */
-    evaluate(toolName: string, args: Record<string, unknown>): Promise<GateResult>;
+    claudeOpus4: () => ModelProvenance;
     /**
-     * Detect Tier 2 behavioral anomalies.
+     * Qwen 3.5 via local inference (open weights, proprietary training)
      */
-    private detectAnomaly;
+    qwen35Local: () => ModelProvenance;
     /**
-     * Request approval from the human principal.
+     * Llama 3.3 70B via local inference (open weights and code)
      */
-    private requestApproval;
+    llama33Local: () => ModelProvenance;
     /**
-     * Summarize tool arguments for the approval prompt.
-     * Strips potentially large values to keep the prompt readable.
+     * Mistral 7B (open weights, open code, local inference)
      */
-    private summarizeArgs;
-    /** Get the baseline tracker for saving at session end */
-    getBaseline(): BaselineTracker;
-    /** Get the injection detector for stats/configuration access */
-    getInjectionDetector(): InjectionDetector;
-}
-
-/**
- * Sanctuary MCP Server — Tool Router
- *
- * Routes sanctuary/* tool calls to their layer-specific handlers.
- * Every tool call passes through schema validation and the ApprovalGate
- * (if configured) before execution. Neither can be bypassed.
- *
- * This module is the abstraction boundary for MCP SDK version migration —
- * if the SDK API changes, only this module needs updating.
- */
-
-/** Tool handler function signature */
-type ToolHandler = (args: Record<string, unknown>) => Promise<{
-    content: Array<{
-        type: "text";
-        text: string;
-    }>;
-}>;
-/** Tool definition for registration */
-interface ToolDefinition {
-    name: string;
-    description: string;
-    inputSchema: Record<string, unknown>;
-    handler: ToolHandler;
-}
+    mistral7bLocal: () => ModelProvenance;
+};
 
 /**
  * Sanctuary MCP Server — L2 Context Gating: Automatic Enforcer
@@ -2620,37 +2657,6 @@ declare class FilesystemStorage implements StorageBackend {
  */
 declare function loadPrincipalPolicy(storagePath: string): Promise<PrincipalPolicy>;
 
-/**
- * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions
- *
- * MCP tool wrappers for StateStore and IdentityRoot operations.
- * These tools are the public API that agents interact with.
- */
-
-/** Manages all identities — provides storage and retrieval */
-declare class IdentityManager {
-    private storage;
-    private masterKey;
-    private identities;
-    private primaryIdentityId;
-    constructor(storage: StorageBackend, masterKey: Uint8Array);
-    private get encryptionKey();
-    /** Load identities from storage on startup.
-     *  Returns { total: number of encrypted files found, loaded: number successfully decrypted }.
-     *  A mismatch (total > 0, loaded === 0) indicates a wrong master key / missing passphrase.
-     */
-    load(): Promise<{
-        total: number;
-        loaded: number;
-        failed: number;
-    }>;
-    /** Save an identity to storage */
-    save(identity: StoredIdentity): Promise<void>;
-    get(id: string): StoredIdentity | undefined;
-    getDefault(): StoredIdentity | undefined;
-    list(): PublicIdentity[];
-}
-
 /**
  * Sanctuary MCP Server — SHR Generator
  *
@@ -3368,6 +3374,16 @@ declare function verifyBridgeCommitment(commitment: BridgeCommitment, outcome: C
 interface SanctuaryServer {
     server: Server;
     config: SanctuaryConfig;
+    /**
+     * Runtime dependencies exposed for embedding callers that need
+     * direct access to the Sanctuary substrate (e.g., the EU AI Act
+     * compliance CLI subcommand). Most callers only use `server` and
+     * `config`; these are optional-usage extras.
+     */
+    identityManager: IdentityManager;
+    masterKey: Uint8Array;
+    auditLog: AuditLog;
+    policy: PrincipalPolicy;
 }
 /**
  * Initialize the Sanctuary MCP Server.